CVE-2024-35202

Published: Oct 10, 2024Modified: May 22, 2025

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Exploitability: 3.9 / Impact: 3.6

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

Bitcoin Core before 25.0 allows remote attackers to cause a denial of service (blocktxn message-handling assertion and node exit) by including transactions in a blocktxn message that are not committed to in a block's merkle root. FillBlock can be called twice for one PartiallyDownloadedBlock instance.

Affected (1)

Products: Bitcoin: Bitcoin Core

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Bitcoin Bitcoin Core	Before 25.0

Related CWEs

Allocation of Resources Without Limits or Throttling

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

References (5)

https://bitcoincore.org/en/2024/10/08/disclose-blocktxn-crash/

Source: cve@mitre.org

PatchVendor Advisory

https://en.bitcoin.it/wiki/Common_Vulnerabilities_and_Exposures

Source: cve@mitre.org

Third Party Advisory

https://github.com/bitcoin/bitcoin/blob/master/doc/release-notes/release-notes-25.0.md

Source: cve@mitre.org

Release Notes

https://github.com/bitcoin/bitcoin/pull/26898

Source: cve@mitre.org

Issue Tracking

https://github.com/bitcoin/bitcoin/releases/tag/v25.0

Source: cve@mitre.org

Release Notes

Timeline

No history available yet.