CVE-2024-52917

Published: Nov 18, 2024Modified: Apr 30, 2025

6.5

Vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Exploitability: 2.8 / Impact: 3.6

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

Bitcoin Core before 22.0 has a miniupnp infinite loop in which it allocates memory on the basis of random data received over the network, e.g., large M-SEARCH replies from a fake UPnP device.

Affected (1)

Products: Bitcoin: Bitcoin Core

Bitcoin

1 product

Bitcoin Core

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Bitcoin Bitcoin Core	Before 22.0

Related CWEs

CWE-770

Allocation of Resources Without Limits or Throttling

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

References (2)

https://bitcoincore.org/en/2024/07/31/disclose-upnp-oom/

Source: cve@mitre.org

Vendor Advisory

https://en.bitcoin.it/wiki/Common_Vulnerabilities_and_Exposures

Source: cve@mitre.org

Third Party Advisory

Timeline

No history available yet.