Public disclosure of one high severity Bitcoin Core advisory (CVE-2024-52911)
53 views
Skip to first unread message
Niklas Goegge
May 5, 2026, 9:41:20 AM (2 days ago) May 5
to Bitcoin Development Mailing List
Hi everyone,
In accordance with our security disclosure policy, we are sharing one advisory for a
*high-severity* security vulnerability fixed in Bitcoin Core version 29.0 and above.
The detailed advisory can be found here: https://bitcoincore.org/en/2026/05/05/disclose-cve-2024-52911/.
Thanks to Cory Fields for reporting this issue and to everyone involved in fixing it.
Our disclosure policy as well as previously disclosed vulnerabilities are available on the Bitcoin Core website at https://bitcoincore.org/en/security-advisories/.
Niklas Goegge
In accordance with our security disclosure policy, we are sharing one advisory for a
*high-severity* security vulnerability fixed in Bitcoin Core version 29.0 and above.
The detailed advisory can be found here: https://bitcoincore.org/en/2026/05/05/disclose-cve-2024-52911/.
Thanks to Cory Fields for reporting this issue and to everyone involved in fixing it.
Our disclosure policy as well as previously disclosed vulnerabilities are available on the Bitcoin Core website at https://bitcoincore.org/en/security-advisories/.
Niklas Goegge
Antoine Riard
May 5, 2026, 8:26:26 PM (2 days ago) May 5
to Bitcoin Development Mailing List
Hi,
This is an interesting class of bug. Escalating a use-after-free into
a userspace remote code execution do not seem as unlikely as one can
think.
Thinking briefly about an escalation strategy:
- 1. make specifically crafted invalid block (e.g a multi-input tx)
- 2. scan the used kernel by the node to rough guess the memory allocator used
- 3. progressively fill bitcoind to reach process virtual mem limit (i.e can't `mmap()` anymore)
- 4. trigger the struct pointer being freed (here it would be `PrecomputedTransactionData`)
- 5. on a background / parallel thread accessing sensitive data struct, got the mem area being reallocated
- 6. on your original thread, access the pointer to write in the sensitive struct
Now, the open question is if the accessed data struct is somehow consensus,
if it could be more severe than a simple crash, e.g a netsplit. Easier said
than done, that is sure.
With the validation code, currently it requires the `cs_main` lock, so
in my understanding numerous entry points also requiring a lock held
cannot be leveraged, that makes it harder to find a gadget (the step 4).
I don't think you can ruled out non-cs_main holding entry points (e.g
a RPC call), as long as the gadget is living in the same process memory
space one might be able to trigger it. Minimal validation code that's
less gadgets that can be adverserialy re-used for this class of bug.
0.14 -> nov 2024. 7 years not being found.
Best,
Antoine
OTS: 7396aa55e02738434d26e27cdadc9649ce568c38c3a3977d1f9094d1658d3c8d
Reply all
Reply to author
Forward
0 new messages