Highly Critical Vulnerability in Bitcoin Core 24.0.1 and Below Affects 17% of Full Nodes

On September 20, Bitcoin Core developers issued a new high-risk warning about a software vulnerability in one in six Bitcoin nodes, Protos reported. On Thursday, staffers at the open-source Bitcoin Core project, which is responsible for maintaining software that runs on more than 98 percent of the reachable full nodes, disclosed that software running on 17 percent of the network's nodes has significant security issues. Specifically, all software below Bitcoin Core version 24.0.1 is at risk. According to Bitnodes' monitoring estimates, the denial-of-service vulnerability affects approximately 3,330 of the 19,200 self-proclaimed user agents of accessible Bitcoin Complete nodes.

In Bitcoin Core software prior to version 24.0.1, malicious actors could use low-difficulty header chains to spam nodes. By forcing nodes to download and store extremely long header chains, the attack could crash the node by taking up too much bandwidth or device storage space. Developers fixed this vulnerability in Bitcoin Core pull request (PR) number 25717 and merged it into production on December 12, 2022 with the v24.0.1 release. The current version of the Bitcoin Core node software (now 27.1) includes fixes for this and other vulnerabilities.

While this vulnerability is quite serious, there are very few known cases of attacks in the public record that exploit this vulnerability. Since the cost of generating and broadcasting a block header chain to perform a denial-of-service attack is quite high, this vulnerability is of little financial interest to attackers.