The Bitcoin Core project has publicly disclosed a previously patched vulnerability that could allow attackers to remotely crash nodes running older versions of the software.
Table Of Content
Advisory details: CVE-2024-52911
In a security advisory published on May 5, 2026, developers revealed details of CVE-2024-52911, described as a “Script Interpreter Remote Crash.”
The flaw stems from a use-after-free bug in Bitcoin Core’s script interpreter. Under specific conditions, a background validation thread could access transaction data after it had already been freed from memory.
This race condition occurs when block validation exits early, leaving dangling references that can later be accessed incorrectly.
How the attack works
According to the advisory, an attacker can craft a malicious block that triggers the bug and causes a node to crash.
- The exploit relies on invalid or specially constructed blocks that trigger early returns in validation logic.
- A background thread may then read freed memory, leading to a crash.
- Crucially, the attacker must expend valid proof-of-work (PoW) to deliver the malicious block to the tip of the chain.
This requirement raises the cost of exploitation, but does not eliminate the risk, especially for targeted attacks on individual nodes.
Affected versions
The vulnerability affects Bitcoin Core versions prior to 29.0, which did not include the final fix.
Key timeline points from the disclosure:
- November 2024: Bug privately reported by security researcher Cory Fields
- December 2024: Fix merged into the codebase (via PR #31112)
- April 2025: Version 29.0 released with the fix
- April 2026: Last vulnerable branch (28.x) reached end-of-life
- May 2026: Public disclosure of technical details
In practice, this means:
- Vulnerable: All nodes running versions ≤ 28.x
- Patched: Versions 29.0 and later
Impact on the network
The primary impact is a remote denial-of-service (DoS) condition:
- Nodes can be forced offline via crash
- Repeated exploitation could disrupt node availability
- Potential for network partitioning or reduced resilience if many nodes are affected simultaneously
However, the advisory emphasizes important limitations:
- The bug does not allow theft of funds
- It does not compromise consensus rules
- Exploitation requires non-trivial resources (valid PoW)
The issue is therefore classified as a stability and availability risk, rather than a critical consensus failure.
What node operators should do
Developers recommend that all node operators:
- Upgrade to Bitcoin Core 29.0 or later immediately
- Avoid running end-of-life versions such as 28.x
- Monitor future security advisories
