Public disclosure of 4 Bitcoin Core security advisories
288 views
Skip to first unread message
Antoine Poinsot
Oct 24, 2025, 12:26:37 PMOct 24
to Bitcoin Development Mailing List
Hi everyone,
In accordance with our security disclosure policy, i am sharing today four advisories for
*low-severity* security vulnerabilities fixed in Bitcoin Core version 30.0.
Two weeks ago we pre-announced that we would release advisories for five low-severity
vulnerabilities. One of these has since been promoted to medium severity, and its public
disclosure has therefore been rescheduled in accordance with our policy.
The four vulnerabilities publicly disclosed today are the following:
- CVE-2025-54604: Disk filling from spoofed self connections [0]
- CVE-2025-54605: Disk filling from invalid blocks [1]
- CVE-2025-46597: Highly unlikely remote crash on 32-bit systems [2]
- CVE-2025-46598: CPU DoS from unconfirmed transaction processing [3]
The fixes for CVE-2025-54604, CVE-2025-54605 and CVE-2025-46597 are also included in Bitcoin Core
version 29.1 and later minor releases. Thanks to Eugene Siegel, Niklas Goegge and Pieter Wuille for
reporting these issues and to everyone involved in fixing them.
Our disclosure policy as well as previously disclosed vulnerabilities are available on the Bitcoin
Core website at [4].
Antoine Poinsot
[0]: https://bitcoincore.org/en/2025/10/24/disclose-cve-2025-54604/
[1]: https://bitcoincore.org/en/2025/10/24/disclose-cve-2025-54605/
[2]: https://bitcoincore.org/en/2025/10/24/disclose-cve-2025-46597/
[3]: https://bitcoincore.org/en/2025/10/24/disclose-cve-2025-46598/
[4]: https://bitcoincore.org/en/security-advisories/
In accordance with our security disclosure policy, i am sharing today four advisories for
*low-severity* security vulnerabilities fixed in Bitcoin Core version 30.0.
Two weeks ago we pre-announced that we would release advisories for five low-severity
vulnerabilities. One of these has since been promoted to medium severity, and its public
disclosure has therefore been rescheduled in accordance with our policy.
The four vulnerabilities publicly disclosed today are the following:
- CVE-2025-54604: Disk filling from spoofed self connections [0]
- CVE-2025-54605: Disk filling from invalid blocks [1]
- CVE-2025-46597: Highly unlikely remote crash on 32-bit systems [2]
- CVE-2025-46598: CPU DoS from unconfirmed transaction processing [3]
The fixes for CVE-2025-54604, CVE-2025-54605 and CVE-2025-46597 are also included in Bitcoin Core
version 29.1 and later minor releases. Thanks to Eugene Siegel, Niklas Goegge and Pieter Wuille for
reporting these issues and to everyone involved in fixing them.
Our disclosure policy as well as previously disclosed vulnerabilities are available on the Bitcoin
Core website at [4].
Antoine Poinsot
[0]: https://bitcoincore.org/en/2025/10/24/disclose-cve-2025-54604/
[1]: https://bitcoincore.org/en/2025/10/24/disclose-cve-2025-54605/
[2]: https://bitcoincore.org/en/2025/10/24/disclose-cve-2025-46597/
[3]: https://bitcoincore.org/en/2025/10/24/disclose-cve-2025-46598/
[4]: https://bitcoincore.org/en/security-advisories/
Reply all
Reply to author
Forward
0 new messages