VYPR
← All advisories
Unrated severityNVD Advisory· Published Jul 23, 2014· Updated May 6, 2026

CVE-2014-4503

CVE-2014-4503

Description

The parse_notify function in util.c in sgminer before 4.2.2 and cgminer 3.3.0 through 4.0.1 allows man-in-the-middle attackers to cause a denial of service (application exit) via a crafted (1) bbversion, (2) prev_hash, (3) nbit, or (4) ntime parameter in a mining.notify action stratum message.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A man-in-the-middle attacker can crash sgminer or cgminer by sending malformed parameters in a stratum mining.notify message.

Vulnerability

The parse_notify function in util.c of sgminer before version 4.2.2 and cgminer versions 3.3.0 through 4.0.1 does not properly validate certain parameters received in a mining.notify Stratum message. Specifically, the function calls quit or quithere when it encounters an invalid hex string for the bbversion, prev_hash, nbit, or ntime parameters, causing the application to exit [1]. The fix in sgminer commit [2] replaces the fatal exit with a warning and pool failure handling.

Exploitation

An attacker who can perform a man-in-the-middle attack on a valid Stratum connection between the miner and the mining pool can send a crafted mining.notify message containing an invalid hex string for any of the four parameters (bbversion, prev_hash, nbit, ntime). No authentication or special privileges are required beyond network position to intercept and modify the traffic [1].

Impact

Successful exploitation causes the miner application to immediately exit, resulting in a denial of service. The miner stops mining until restarted. No data is compromised, and no code execution is achieved; the impact is limited to availability [1].

Mitigation

The vulnerability is fixed in sgminer version 4.2.2 and later [2]. For cgminer, users should upgrade to a version that includes the fix (the commit references sgminer, but cgminer may have a similar fix; check vendor). If upgrading is not possible, ensure the Stratum connection is secured against man-in-the-middle attacks (e.g., using TLS). No workaround within the application itself is available [1].

References
  1. Invalid Parameters in mining.notify Stratum Message Leads to Denial of Service
  2. stratum: parse_notify(): Don't die on malformed bbversion/prev_hash/n… · sgminer-dev/sgminer@910c360

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

43
  • sgminer-dev/Sgminerreferences2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)range: <4.2.2
  • Cgminer Project/Cgminer34 versions
    cpe:2.3:a:cgminer_project:cgminer:3.10.0:*:*:*:*:*:*:*+ 33 more
    • cpe:2.3:a:cgminer_project:cgminer:3.10.0:*:*:*:*:*:*:*
    • cpe:2.3:a:cgminer_project:cgminer:3.11.0:*:*:*:*:*:*:*
    • cpe:2.3:a:cgminer_project:cgminer:3.12.0:*:*:*:*:*:*:*
    • cpe:2.3:a:cgminer_project:cgminer:3.12.1:*:*:*:*:*:*:*
    • cpe:2.3:a:cgminer_project:cgminer:3.12.2:*:*:*:*:*:*:*
    • cpe:2.3:a:cgminer_project:cgminer:3.12.3:*:*:*:*:*:*:*
    • cpe:2.3:a:cgminer_project:cgminer:3.3.0:*:*:*:*:*:*:*
    • cpe:2.3:a:cgminer_project:cgminer:3.3.1:*:*:*:*:*:*:*
    • cpe:2.3:a:cgminer_project:cgminer:3.3.2:*:*:*:*:*:*:*
    • cpe:2.3:a:cgminer_project:cgminer:3.3.3:*:*:*:*:*:*:*
    • cpe:2.3:a:cgminer_project:cgminer:3.3.4:*:*:*:*:*:*:*
    • cpe:2.3:a:cgminer_project:cgminer:3.4.0:*:*:*:*:*:*:*
    • cpe:2.3:a:cgminer_project:cgminer:3.4.1:*:*:*:*:*:*:*
    • cpe:2.3:a:cgminer_project:cgminer:3.4.2:*:*:*:*:*:*:*
    • cpe:2.3:a:cgminer_project:cgminer:3.4.3:*:*:*:*:*:*:*
    • cpe:2.3:a:cgminer_project:cgminer:3.5.0:*:*:*:*:*:*:*
    • cpe:2.3:a:cgminer_project:cgminer:3.5.1:*:*:*:*:*:*:*
    • cpe:2.3:a:cgminer_project:cgminer:3.6.0:*:*:*:*:*:*:*
    • cpe:2.3:a:cgminer_project:cgminer:3.6.1:*:*:*:*:*:*:*
    • cpe:2.3:a:cgminer_project:cgminer:3.6.2:*:*:*:*:*:*:*
    • cpe:2.3:a:cgminer_project:cgminer:3.6.3:*:*:*:*:*:*:*
    • cpe:2.3:a:cgminer_project:cgminer:3.6.4:*:*:*:*:*:*:*
    • cpe:2.3:a:cgminer_project:cgminer:3.7.0:*:*:*:*:*:*:*
    • cpe:2.3:a:cgminer_project:cgminer:3.7.1:*:*:*:*:*:*:*
    • cpe:2.3:a:cgminer_project:cgminer:3.7.2:*:*:*:*:*:*:*
    • cpe:2.3:a:cgminer_project:cgminer:3.8.0:*:*:*:*:*:*:*
    • cpe:2.3:a:cgminer_project:cgminer:3.8.1:*:*:*:*:*:*:*
    • cpe:2.3:a:cgminer_project:cgminer:3.8.2:*:*:*:*:*:*:*
    • cpe:2.3:a:cgminer_project:cgminer:3.8.3:*:*:*:*:*:*:*
    • cpe:2.3:a:cgminer_project:cgminer:3.8.4:*:*:*:*:*:*:*
    • cpe:2.3:a:cgminer_project:cgminer:3.8.5:*:*:*:*:*:*:*
    • cpe:2.3:a:cgminer_project:cgminer:3.9.0:*:*:*:*:*:*:*
    • cpe:2.3:a:cgminer_project:cgminer:4.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:cgminer_project:cgminer:4.0.1:*:*:*:*:*:*:*
  • Sgminer Project/Sgminer7 versions
    cpe:2.3:a:sgminer_project:sgminer:*:*:*:*:*:*:*:*+ 6 more
    • cpe:2.3:a:sgminer_project:sgminer:*:*:*:*:*:*:*:*range: <=4.2.1
    • cpe:2.3:a:sgminer_project:sgminer:4.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:sgminer_project:sgminer:4.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:sgminer_project:sgminer:4.1.153:*:*:*:*:*:*:*
    • cpe:2.3:a:sgminer_project:sgminer:4.1.242:*:*:*:*:*:*:*
    • cpe:2.3:a:sgminer_project:sgminer:4.1.271:*:*:*:*:*:*:*
    • cpe:2.3:a:sgminer_project:sgminer:4.2.0:*:*:*:*:*:*:*

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

2

News mentions

0

No linked articles in our index yet.