Bitcoin Core vulnerabilities
52 known vulnerabilities affecting bitcoin/bitcoin_core.
Total CVEs
52
CISA KEV
0
Public exploits
0
Exploited in wild
3
Severity breakdown
HIGH26MEDIUM26
Vulnerabilities
Page 2 of 3
CVE-2019-25220P3HIGHCVSS 7.5fixed in 24.0.12024-11-18
CVE-2019-25220 [HIGH] CWE-770 CVE-2019-25220: Bitcoin Core before 24.0.1 allows remote attackers to cause a denial of service (daemon crash) via a
Bitcoin Core before 24.0.1 allows remote attackers to cause a denial of service (daemon crash) via a flood of low-difficulty header chains (aka a "Chain Width Expansion" attack) because a node does not first verify that a presented chain has enough work before committing to store it.
nvd
CVE-2024-52916P3HIGHCVSS 7.5fixed in 0.15.02024-11-18
CVE-2024-52916 [HIGH] CWE-770 CVE-2024-52916: Bitcoin Core before 0.15.0 allows a denial of service (OOM kill of a daemon process) via a flood of
Bitcoin Core before 0.15.0 allows a denial of service (OOM kill of a daemon process) via a flood of minimum difficulty headers.
nvd
CVE-2024-52915P3HIGHCVSS 7.5fixed in 0.20.02024-11-18
CVE-2024-52915 [HIGH] CWE-770 CVE-2024-52915: Bitcoin Core before 0.20.0 allows remote attackers to cause a denial of service (memory consumption)
Bitcoin Core before 0.20.0 allows remote attackers to cause a denial of service (memory consumption) via a crafted INV message.
nvd
CVE-2024-52920P3HIGHCVSS 7.5fixed in 0.20.02024-11-18
CVE-2024-52920 [HIGH] CWE-770 CVE-2024-52920: Bitcoin Core before 0.20.0 allows remote attackers to cause a denial of service (infinite loop) via
Bitcoin Core before 0.20.0 allows remote attackers to cause a denial of service (infinite loop) via a malformed GETDATA message.
nvd
CVE-2012-4684P4HIGHCVSS 7.8v0.3.4v0.3.5+28 more2013-03-12
CVE-2012-4684 [HIGH] CWE-399 CVE-2012-4684: The alert functionality in bitcoind and Bitcoin-Qt before 0.7.0 supports different character represe
The alert functionality in bitcoind and Bitcoin-Qt before 0.7.0 supports different character representations of the same signature data, but relies on a hash of this signature, which allows remote attackers to cause a denial of service (resource consumption) via a valid modified signature for a circulating alert.
nvd
CVE-2015-3641P4HIGHCVSS 7.5fixed in 0.10.22020-03-12
CVE-2015-3641 [HIGH] CVE-2015-3641: bitcoind and Bitcoin-Qt prior to 0.10.2 allow attackers to cause a denial of service (disabled funct
bitcoind and Bitcoin-Qt prior to 0.10.2 allow attackers to cause a denial of service (disabled functionality such as a client application crash) via an "Easy" attack.
nvd
CVE-2024-52922P4MEDIUMCVSS 6.5fixed in 25.12024-11-18
CVE-2024-52922 [MEDIUM] CVE-2024-52922: In Bitcoin Core before 25.1, an attacker can cause a node to not download the latest block, because
In Bitcoin Core before 25.1, an attacker can cause a node to not download the latest block, because there can be minutes of delay when an announcing peer stalls instead of complying with the peer-to-peer protocol specification.
nvd
CVE-2013-2292P4HIGHCVSS 7.8≤ 0.8.0v0.3.4+29 more2013-03-12
CVE-2013-2292 [HIGH] CWE-399 CVE-2013-2292: bitcoind and Bitcoin-Qt 0.8.0 and earlier allow remote attackers to cause a denial of service (elect
bitcoind and Bitcoin-Qt 0.8.0 and earlier allow remote attackers to cause a denial of service (electricity consumption) by mining a block to create a nonstandard Bitcoin transaction containing multiple OP_CHECKSIG script opcodes.
nvd
CVE-2013-3220P4MEDIUMCVSS 6.4v0.3.4v0.3.5+28 more2013-08-02
CVE-2013-3220 [MEDIUM] CWE-399 CVE-2013-3220: bitcoind and Bitcoin-Qt before 0.4.9rc2, 0.5.x before 0.5.8rc2, 0.6.x before 0.6.5rc2, and 0.7.x bef
bitcoind and Bitcoin-Qt before 0.4.9rc2, 0.5.x before 0.5.8rc2, 0.6.x before 0.6.5rc2, and 0.7.x before 0.7.3rc2, and wxBitcoin, do not properly consider whether a block's size could require an excessive number of database locks, which allows remote attackers to cause a denial of service (split) and enable certain double-spending capabilities via a la
nvd
CVE-2017-18350P4MEDIUMCVSS 5.9fixed in 0.15.12020-03-12
CVE-2017-18350 [MEDIUM] CWE-120 CVE-2017-18350: bitcoind and Bitcoin-Qt prior to 0.15.1 have a stack-based buffer overflow if an attacker-controlled
bitcoind and Bitcoin-Qt prior to 0.15.1 have a stack-based buffer overflow if an attacker-controlled SOCKS proxy server is used. This results from an integer signedness error when the proxy server responds with an acknowledgement of an unexpected target domain name.
nvd
CVE-2018-20586P4MEDIUMCVSS 5.3v0.12.0v0.12.1+17 more2020-03-12
CVE-2018-20586 [MEDIUM] CWE-116 CVE-2018-20586: bitcoind and Bitcoin-Qt prior to 0.17.1 allow injection of arbitrary data into the debug log via an
bitcoind and Bitcoin-Qt prior to 0.17.1 allow injection of arbitrary data into the debug log via an RPC call.
nvd
CVE-2013-3219P4MEDIUMCVSS 5.0v0.8.02013-08-02
CVE-2013-3219 [MEDIUM] CWE-264 CVE-2013-3219: bitcoind and Bitcoin-Qt 0.8.x before 0.8.1 do not enforce a certain block protocol rule, which allow
bitcoind and Bitcoin-Qt 0.8.x before 0.8.1 do not enforce a certain block protocol rule, which allows remote attackers to bypass intended access restrictions and conduct double-spending attacks via a large block that triggers incorrect Berkeley DB locking in older product versions.
nvd
CVE-2013-2272P4MEDIUMCVSS 5.0v0.3.4v0.3.5+28 more2013-03-12
CVE-2013-2272 [MEDIUM] CWE-200 CVE-2013-2272: The penny-flooding protection mechanism in the CTxMemPool::accept method in bitcoind and Bitcoin-Qt
The penny-flooding protection mechanism in the CTxMemPool::accept method in bitcoind and Bitcoin-Qt before 0.4.9rc1, 0.5.x before 0.5.8rc1, 0.6.0 before 0.6.0.11rc1, 0.6.1 through 0.6.5 before 0.6.5rc1, and 0.7.x before 0.7.3rc1 allows remote attackers to determine associations between wallet addresses and IP addresses via a series of large Bitcoin tra
nvd
CVE-2024-52917P4MEDIUMCVSS 6.5fixed in 22.02024-11-18
CVE-2024-52917 [MEDIUM] CWE-770 CVE-2024-52917: Bitcoin Core before 22.0 has a miniupnp infinite loop in which it allocates memory on the basis of r
Bitcoin Core before 22.0 has a miniupnp infinite loop in which it allocates memory on the basis of random data received over the network, e.g., large M-SEARCH replies from a fake UPnP device.
nvd
CVE-2024-55563P4MEDIUMCVSS 5.3≤ 27.22024-12-09
CVE-2024-55563 [MEDIUM] CVE-2024-55563: Bitcoin Core through 27.2 allows transaction-relay jamming via an off-chain protocol attack, a relat
Bitcoin Core through 27.2 allows transaction-relay jamming via an off-chain protocol attack, a related issue to CVE-2024-52913. For example, the outcome of an HTLC (Hashed Timelock Contract) can be changed because a flood of transaction traffic prevents propagation of certain Lightning channel transactions.
nvd
CVE-2025-46598P4MEDIUMCVSS 5.3fixed in 0.30.02026-03-20
CVE-2025-46598 [MEDIUM] CWE-405 CVE-2025-46598: Bitcoin Core through 29.0 allows a denial of service via a crafted transaction.
Bitcoin Core through 29.0 allows a denial of service via a crafted transaction.
nvd
CVE-2024-52913P4MEDIUMCVSS 5.3fixed in 0.21.02024-11-18
CVE-2024-52913 [MEDIUM] CWE-770 CVE-2024-52913: In Bitcoin Core before 0.21.0, an attacker could prevent a node from seeing a specific unconfirmed t
In Bitcoin Core before 0.21.0, an attacker could prevent a node from seeing a specific unconfirmed transaction, because transaction re-requests are mishandled.
nvd
CVE-2018-20587P4MEDIUMCVSS 5.5≥ 0.12.0, ≤ 0.17.12019-02-11
CVE-2018-20587 [MEDIUM] CVE-2018-20587: Bitcoin Core 0.12.0 through 0.17.1 and Bitcoin Knots 0.12.0 through 0.17.x before 0.17.1.knots201812
Bitcoin Core 0.12.0 through 0.17.1 and Bitcoin Knots 0.12.0 through 0.17.x before 0.17.1.knots20181229 have Incorrect Access Control. Local users can exploit this to steal currency by binding the RPC IPv4 localhost port, and forwarding requests to the IPv6 localhost port.
nvd
CVE-2024-52921P4MEDIUMCVSS 5.3fixed in 25.02024-11-18
CVE-2024-52921 [MEDIUM] CWE-862 CVE-2024-52921: In Bitcoin Core before 25.0, a peer can affect the download state of other peers by sending a mutate
In Bitcoin Core before 25.0, a peer can affect the download state of other peers by sending a mutated block.
nvd
CVE-2013-4165P4MEDIUMCVSS 4.3v0.8.12013-08-02
CVE-2013-4165 [MEDIUM] CWE-200 CVE-2013-4165: The HTTPAuthorized function in bitcoinrpc.cpp in bitcoind 0.8.1 provides information about authentic
The HTTPAuthorized function in bitcoinrpc.cpp in bitcoind 0.8.1 provides information about authentication failure upon detecting the first incorrect byte of a password, which makes it easier for remote attackers to determine passwords via a timing side-channel attack.
nvd