https://btc-zhtw-review.achow101.com <p>After Bitcoin Core 0.14.0 and before Bitcoin Core 29.0, validating a specially-crafted block may cause the node to access previously freed memory.</p> <p>During validation, necessary data required for checking inputs for each transaction is pre-calculated and cached. For specially crafted invalid blocks, it was possible for this data to be destroyed while it was still being accessed by a background validation thread. An attacker capable of mining a block with sufficient proof-of-work could have exploited this to crash victim nodes. Because of the nature of use-after-free bugs, it is possible that the crash could have been used for remote code execution, though constraints on the input (block) data make this unlikely.</p> <p>This issue is considered <strong>High</strong> severity.</p> <h2 id="details">Details</h2> <p>By default, script validation for new blocks is dispatched to background threads via a vector of <code class="language-plaintext highlighter-rouge">CScriptCheck</code> functors. Each CScriptCheck holds a pointer to a <code class="language-plaintext highlighter-rouge">PrecomputedTransactionData</code> object which stores some data needed by each input in the transaction. Because it stores a pointer and not the data itself, care must be taken to ensure that the <code class="language-plaintext highlighter-rouge">PrecomputedTransactionData</code> outlives the <code class="language-plaintext highlighter-rouge">CScriptCheck</code>.</p> <p>The script checks lifetime is enforced by an RAII class, <code class="language-plaintext highlighter-rouge">CCheckQueueControl</code>. However, the control is intantiated before the precomputed transaction data. Because local objects in C++ are <a href="https://isocpp.org/wiki/faq/dtors#order-dtors-for-locals">destructed in reverse order of construction</a>, this means the vector of <code class="language-plaintext highlighter-rouge">PrecomputedTransactionData</code> is destroyed <em>before</em> the <code class="language-plaintext highlighter-rouge">CCheckQueueControl</code>.</p> <p>This is not an issue when the block is valid, as <code class="language-plaintext highlighter-rouge">CCheckQueueControl::Wait()</code> will be called before the function returns and the <code class="language-plaintext highlighter-rouge">PrecomputedTransactionData</code> gets destroyed. However, in case of an early return (when a separate check fails) a background script thread may read the precomputed transaction data after it was destroyed. An attacker could exploit this to crash victim nodes at the expense of a valid PoW at tip.</p> <h2 id="attribution">Attribution</h2> <p>Cory Fields (MIT DCI) discovered this vulnerability and responsibly disclosed it in a detailed report containing a proof of concept for reproduction and a proposed mitigation.</p> <h2 id="timeline">Timeline</h2> <ul> <li>2024-11-02 Cory Fields privately reports the bug</li> <li>2024-11-06 Pieter Wuille pushes a covert fix to already open <a href="https://github.com/bitcoin/bitcoin/pull/31112">PR #31112</a> which works around the issue by removing the early returns</li> <li>2024-12-03 PR #31112 is merged</li> <li>2025-04-12 Bitcoin Core version 29.0 is released with a fix</li> <li>2026-04-19 The last vulnerable Bitcoin Core version (28.x) goes end of life</li> <li>2026-05-05 Public disclosure.</li> </ul> Tue, 05 May 2026 00:00:00 +0000 https://btc-zhtw-review.achow101.com/en/2026/05/05/disclose-cve-2024-52911/ https://btc-zhtw-review.achow101.com/en/2026/05/05/disclose-cve-2024-52911/ <p>Bitcoin Core version 31.0 is now available for <a href="/en/download">download</a>. See the <a href="/en/releases/31.0/">release notes</a> for more information about the bug fixes in this release.</p> <p>If you have any questions, please stop by the #bitcoin IRC chatroom (<a href="irc://irc.libera.chat/bitcoin">IRC</a>, <a href="https://web.libera.chat/#bitcoin">web</a>) and we’ll do our best to help you.</p> Sun, 19 Apr 2026 00:00:00 +0000 https://btc-zhtw-review.achow101.com/en/2026/04/19/release-31.0/ https://btc-zhtw-review.achow101.com/en/2026/04/19/release-31.0/ <p>Bitcoin Core version 28.4 is now available for <a href="/en/download">download</a>. See the <a href="/en/releases/28.4/">release notes</a> for more information about the bug fixes in this release.</p> <p>If you have any questions, please stop by the #bitcoin IRC chatroom (<a href="irc://irc.libera.chat/bitcoin">IRC</a>, <a href="https://web.libera.chat/#bitcoin">web</a>) and we’ll do our best to help you.</p> Wed, 18 Mar 2026 00:00:00 +0000 https://btc-zhtw-review.achow101.com/en/2026/03/18/release-28.4/ https://btc-zhtw-review.achow101.com/en/2026/03/18/release-28.4/ <p>Bitcoin Core version 29.3 is now available for <a href="/en/download">download</a>. See the <a href="/en/releases/29.3/">release notes</a> for more information about the bug fixes in this release.</p> <p>If you have any questions, please stop by the #bitcoin IRC chatroom (<a href="irc://irc.libera.chat/bitcoin">IRC</a>, <a href="https://web.libera.chat/#bitcoin">web</a>) and we’ll do our best to help you.</p> Tue, 10 Feb 2026 00:00:00 +0000 https://btc-zhtw-review.achow101.com/en/2026/02/10/release-29.3/ https://btc-zhtw-review.achow101.com/en/2026/02/10/release-29.3/ <p>Bitcoin Core version 30.2 is now available for <a href="/en/download">download</a>. See the <a href="/en/releases/30.2/">release notes</a> for more information about the bug fixes in this release.</p> <p>If you have any questions, please stop by the #bitcoin IRC chatroom (<a href="irc://irc.libera.chat/bitcoin">IRC</a>, <a href="https://web.libera.chat/#bitcoin">web</a>) and we’ll do our best to help you.</p> Sat, 10 Jan 2026 00:00:00 +0000 https://btc-zhtw-review.achow101.com/en/2026/01/10/release-30.2/ https://btc-zhtw-review.achow101.com/en/2026/01/10/release-30.2/