Critical Vulnerability in Bitcoin Core
Developers of Bitcoin Core have recently identified a critical vulnerability that may enable miners to forcibly crash Bitcoin nodes from a distance. Known as CVE-2024-52911, this bug impacted versions of Bitcoin Core released after 0.14.0 and prior to 29.0. The issue was resolved in April 2025 with the release of Bitcoin Core 29.0, however, details of the vulnerability were not made public until May 5, 2026, following the end of support for the last vulnerable version, 28.x, on April 19, 2026.
Nature of the Vulnerability
The root of the problem lay within the program’s script interpreter and its ability to validate blocks. Specifically, Bitcoin Core’s functionality could mismanage memory by allowing a crafted block to access memory that had already been released, especially during the intricate process of validating transactions. Bitcoin Core conducts preliminary calculations for transaction input data and performs script checks through background threads. If a maliciously structured block was introduced, it could potentially corrupt cached data at a time when another thread attempted to access it.
According to the Bitcoin Core team, this vulnerability could provide an opportunity for attackers with substantial proof-of-work resources to force targeted nodes to crash. While they acknowledged the possibility of this leading to remote code execution, the chances were deemed “unlikely” due to the limitations imposed by block data.
Challenges of Exploitation
Executing such an attack, however, was not straightforward. Miners would have had to generate a uniquely crafted block strong enough to reach the end of the blockchain. This requirement made the attack financially burdensome, as the block produced would be invalid and thus would not yield the usual block rewards necessary to compensate the attacker’s mining efforts.
Response and Mitigation
Bitcoin Core has clarified that there is no evidence suggesting the bug has been exploited in any real-world attacks, focusing mainly on the nature of the flaw, the remediation steps taken, and the timeline of their disclosures. Importantly, this security issue did not alter any of Bitcoin’s consensus rules; it was strictly a concern related to memory management within the Bitcoin Core software, rather than the protocols determining the legitimacy of Bitcoin blocks or transactions.
The vulnerability was first privately reported on November 2, 2024, by Cory Fields from the MIT Digital Currency Initiative, who also provided a proof of concept and suggestions for mitigating the associated risks. A fix was swiftly rolled out four days later by Pieter Wuille through pull request 31112, which was merged in December 2024, ahead of the official fix incorporated in Bitcoin Core 29.0.
Ongoing Risks
Following its policy for revealing major vulnerabilities, Bitcoin Core waited until all affected versions reached their end of life before sharing details about this high-severity issue. However, users operating Bitcoin Core versions prior to 29.0 remain at risk, as the software does not automatically update, necessitating manual installation of newer versions by users. Previous studies have indicated that a significant percentage (21%) of Bitcoin nodes were still running outdated versions as of June 2021, highlighting the ongoing security risks associated with legacy client software.
