安全公告
概覽
本頁面概述了與 Bitcoin Core 中漏洞披露相關的政策, 以及歷史安全公告的摘要。
政策
所有漏洞都應報告至 security@bitcoincore.org(詳情請參閱 SECURITY.md)。 報告後,漏洞將被分配一個嚴重性類別。 我們區分 4 類漏洞:
- 嚴重(Critical):威脅整個 Bitcoin 網路的基本安全性和完整性的錯誤。
這些錯誤允許在協議層面上竊取幣、在指定發行時程之外創造幣,或造成永久性、
全網路範圍的鏈分裂。
範例
- 允許在區塊內兩次花費同一交易輸出以增加貨幣供應的錯誤 (CVE-2018-17144)。
- 一個共識失敗,其中執行較舊軟體的節點拒絕了較新軟體接受的區塊, 原因是底層資料庫限制,導致全網路範圍的鏈分裂 (BIP 50)。
- 高(High):對受影響節點或網路有重大影響的錯誤。這些錯誤通常可以在預設配置下
遠端利用,並可能造成廣泛的中斷。
範例
- 可遠端觸發的當機,可能使許多節點離線 (CVE-2024-35202)。
- 阻斷服務攻擊,導致節點長時間停滯,無法處理新的交易和區塊 (CVE-2024-52914)。
- 記憶體耗盡漏洞,可透過使節點儲存過量的區塊標頭來遠端觸發當機 (CVE-2019-25220)。
- 中(Medium):可能明顯降低網路或節點性能或功能的錯誤,但其範圍或可利用性有限。
這些錯誤可能需要特殊條件才能觸發,例如非預設設定,或導致服務降級而非完全節點故障。
範例
- 本地網路上的潛在遠端程式碼執行(RCE)漏洞,僅在啟用 UPnP 等非預設功能時才能利用 (CVE-2015-20111)。
- 對等節點可透過發送變異區塊來阻礙區塊傳播,延遲節點接收新區塊的時間 (CVE-2024-52921)。
- 攻擊者向節點宣告區塊,然後無法提供該區塊,導致受害節點在能夠從其他對等節點獲取之前等待最多 10 分鐘 (CVE-2024-52922)。
- 低(Low):難以利用或對節點運作影響輕微的錯誤。這些錯誤可能僅在非預設配置下
或從本地網路才能觸發,且不會構成立即或廣泛的威脅。
範例
- 格式錯誤的
getdata訊息可能導致對等連接進入無限迴圈,消耗 CPU 但不影響節點處理區塊或處理其他對等連接的能力 (CVE-2024-52920)。 - 依賴套件中的錯誤可能導致節點當機,但僅在啟用 UPnP 等非預設功能時 (CVE-2024-52917)。
- 可能導致節點當機的錯誤,但極難利用 (CVE-2024-52919)。
- 格式錯誤的
低嚴重性漏洞將在包含修復的主要版本發布後 2 週內披露。中和高嚴重性漏洞 將在最後一個受影響版本終止生命週期(包含修復的主要版本首次發布後 約一年)後 2 週內披露。
在發布漏洞詳情的兩週前將進行預告。此預告將與新主要版本的發布同時進行, 並包含已修復漏洞的數量及其嚴重性等級。
嚴重錯誤不在標準政策考慮範圍內,因為它們很可能需要臨時程序。 此外,錯誤可能根本不被視為漏洞。任何報告的問題也可能被認為是嚴重的,但不需要禁運。
過往安全公告
CVE-2024-52911 - Script Interpreter Remote Crash
A specially-crafted block can be used to remotely crash a Bitcoin Core node by exploiting a use-after-free in its script interpreter.
CVE-2025-46597 - Highly unlikely remote crash on 32-bit systems
An attacker could produce a block that crashes nodes running on 32-bit systems in a rare edge case. A fix was released on October 10th 2025 in Bitcoin Core v30.0.
CVE-2025-46598 - CPU DoS from unconfirmed transaction processing
Specially crafted invalid unconfirmed transactions could cause unnecessary resource usage. A fix was released on October 10th 2025 in Bitcoin Core v30.0.
CVE-2025-54604 - Disk filling from spoofed self connections
An attacker could cause a victim node to fill up its disk space by repeatedly faking self-connections over a long time. A fix was released on October 10th 2025 in Bitcoin Core v30.0.
CVE-2025-54605 - Disk filling from invalid blocks
An attacker could cause a victim node to fill up its disk space by repeatedly sending invalid blocks. A fix was released on October 10th 2025 in Bitcoin Core v30.0.
CVE-2024-52919 - Remote crash due to addr message spam (part 2)
An attacker could crash a node by spamming it with addr messages for a very long time. A fix was released on April 14th 2025 in Bitcoin Core v29.0.
CVE-2024-52922 - Hindered block propagation due to stalling peers
A peer could hinder block propagation by announcing blocks first and then simply withholding the block.
Disclosure of CVE-2024-35202
An attacker could remotely crash a Bitcoin Core node by triggering an assertion in the blocktxn message handling logic.
Disclosure of DoS due to inv-to-send sets growing too large
The inv-to-send sets could grow too large to a point where the time spent sorting the sets would affect the node’s ability to communicate with its peers.
CVE-2024-52921 - Hindered block propagation due to mutated blocks
A peer could hinder block propagation by sending mutated blocks.
CVE-2019-25220 - Memory DoS due to headers spam
An attacker could spam a Bitcoin Core node with low-difficulty headers chains, which could be used to remotely crash it.
CVE-2024-52919 - Remote crash due to addr message spam
Nodes could be spammed with addr messsages, which could be used to crash them. A fix was released on September 14th, 2021 in Bitcoin Core v22.0.
CVE-2024-52917 - Infinite loop bug in the miniupnp dependency
Nodes could be crashed by a malicious UPnP device on the local network. A fix was released on September 14th, 2021 in Bitcoin Core v22.0.
CVE-2024-52918 - Crash using malicious BIP72 URI
The BIP70 implementation in Bitcoin-Qt could silently crash when opening a BIP72 URI. A fix was released on June 3rd, 2020 in Bitcoin Core 0.20.0.
CVE-2024-52920 - DoS using huge GETDATA messages
A malformed GETDATA message could trigger 100% CPU usage on the receiving node. A fix was released on June 3rd, 2020 in Bitcoin Core 0.20.0.
CVE-2024-52916 - Memory DoS using low-difficulty headers
Nodes could be spammed with low-difficulty headers, which could be used to crash it. A fix was released on September 14th, 2017 in Bitcoin Core 0.15.0.
CVE-2024-52915 - Memory DoS using huge INV messages
Nodes would allocate up to 50 MB of memory per attacker sending a malicious INV message. A fix was released on June 3rd, 2020 in Bitcoin Core 0.20.0.
CVE-2024-52914 - Significant DoS due to orphan handling
A node could be stalled for hours when receiving a specially crafted unconfirmed transaction. A fix was released on May 18th, 2019 in Bitcoin Core 0.18.0.
CVE-2024-52912 - Netsplit due to timestamp adjustment
A node could be split from the network when attacked by its first 200 peers. A fix was released on January 15th, 2021 in Bitcoin Core version 0.21.0.
Disclosure of CVE-2020-14198
Nodes could be subject to CPU and memory DoS when attacked by lots of distinct IPs. A fix was released on August 1st, 2020 in Bitcoin Core 0.20.1.
CVE-2024-52913 - Censorship due to transaction re-request handling
Nodes could be prevented from seeing specific unconfirmed transactions by a malicious peer. A fix was released on January 14th, 2021 in Bitcoin Core 0.21.0.
Disclosure of CVE-2015-3641
Attackers sending large incomplete messages would cause high memory usage. A fix was released on April 27th, 2015 in Bitcoin Core 0.10.1.
CVE-2015-20111 - Remote code execution due to bug in miniupnpc
A bug in the miniupnpc library could have led to a remote code execution in Bitcoin Core. A fix was released on October 15th, 2015 in Bitcoin Core 0.11.1.
Disclosure of CVE-2017-18350
Nodes were potentially vulnerable to a buffer overflow by malicious SOCKS servers. A fix was released on November 6th, 2017 in Bitcoin Core version 0.15.1.
Disclosure of CVE-2018-17144
Bitcoin Core was vulnerable to a DoS and inflation attack. A fix was released on September 18th, 2018 in Bitcoin Core versions 0.16.3 and 0.17.0rc4.