Bitcoin Core developers have revealed a high-risk bug that could allow miners to crash some Bitcoin nodes remotely.
summary
- Bitcoin Core has disclosed CVE-2024-52911, affecting versions before 29.0, with older nodes still exposed online.
- Miners needed expensive proof-of-work blocks to trigger crashes, making real-world abuse historically unlikely for attackers.
- Corey Fields reported the bug privately in 2024, before Bitcoin Core 29.0 shipped the patched software.
The issue, tracked as CVE-2024-52911, affects Bitcoin Core versions after 0.14.0 and before 29.0. The bug was fixed in Bitcoin Core 29.0, released in April 2025.
I made Bitcoin Core problem It will be published on May 5, 2026, after the last vulnerable 28.x version line reached the end of its life on April 19.
Block validation error
The issue is related to Bitcoin Core’s script interpreter during block validation. Bitcoin Core said a specially crafted block could cause a node to access memory after that data has already been released.
During validation, Bitcoin Core precalculates the transaction input data and sends script checks to the background threads. In some cases, an invalid block can destroy cached data while another thread tries to read it.
Bitcoin Core said this could allow an attacker with enough proof of work to crash a victim’s contract. It also said it was “possible” that the fault could support remote code execution, though limitations on the block data make that outcome “unlikely.”
The attack requires expensive mining
Carrying out the attack was not easy. The miner will need to produce a custom-made block with enough proof of work to reach the end of the chain.
This made the attack costly because such a ban would be invalid. He was unable to obtain the normal block reward, leaving the attacker to spend hashing power without collecting the usual mining payments.
Bitcoin Core did not mention that the flaw had been used in real attacks. The consultation focused on the defect, remediation and disclosure timeline.
The bug did not change Bitcoin’s consensus rules. It was related to memory manipulation in the Bitcoin Core software, not the rules that determine valid Bitcoin transactions or blocks.
Corey Fields reported the bug
Corey Fields of MIT’s Digital Currency Initiative privately reported the bug on November 2, 2024. Bitcoin Core said the report included a proof of concept and a proposed method for mitigating the risks.
Peter and Will pushed a secret fix four days later through PR 31112. The pull request was merged on December 3, 2024, before Bitcoin Core 29.0 shipped with the fix in April 2025.
This advisory followed Bitcoin Core’s disclosure policy regarding high-risk errors. Its policy is that high-risk issues are detected after the last affected version has expired.
In addition, node operators using Bitcoin Core versions before 29.0 are still encountering the legacy error. Bitcoin Core does not update automatically, so users must manually install newer versions.
the past a report Regarding the risks of blockchain decentralization, research indicated that 21% of Bitcoin nodes ran outdated Bitcoin Core software in June 2021. This context explains why older client versions can remain a security concern long after fixes are sent.
