CVE-2024-38359
Description
The Lightning Network Daemon (lnd) - is a complete implementation of a Lightning Network node. A parsing vulnerability in lnd's onion processing logic and lead to a DoS vector due to excessive memory allocation. The issue was patched in lnd v0.17.0. Users should update to a version > v0.17.0 to be protected. Users unable to upgrade may set the --rejecthtlc CLI flag and also disable forwarding on channels via the UpdateChanPolicyCommand, or disable listening on a public network interface via the --nolisten flag as a mitigation.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A parsing vulnerability in LND's onion processing allows remote attackers to cause a DoS via memory exhaustion, fixed in v0.17.0.
Vulnerability
CVE-2024-38359 is a denial-of-service (DoS) vulnerability in Lightning Network Daemon (lnd) versions prior to 0.17.0. The flaw resides in the onion processing logic, where a malicious onion packet can trigger excessive memory allocation, leading to an out-of-memory (OOM) condition and node crash [1]. The issue stems from improper handling of variable-length fields during decoding of hop payloads [1].
Exploitation
An attacker can exploit this vulnerability by crafting a specially designed onion packet and sending it to a victim node via the Lightning Network. Because the packet is onion-routed, the attacker does not need a direct connection to the victim, making the source difficult to trace [1]. The attack is cheap and easy to carry out, and it can keep the victim offline for as long as the attack lasts [1].
Impact
Successful exploitation causes the vulnerable node to run out of memory and crash, disrupting its ability to process payments, forward HTLCs, or participate in the network. This DoS can lead to financial loss if the node is unable to settle or forward payments in a timely manner [1]. All nodes running unpatched versions are vulnerable [1].
Mitigation
The vulnerability is patched in lnd v0.17.0 [2]. Users should upgrade to version 0.17.0 or later. For those unable to upgrade, mitigations include setting the --rejecthtlc CLI flag, disabling forwarding via UpdateChanPolicyCommand, or disabling public network listening with --nolisten [3].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/lightningnetwork/lndGo | < 0.17.0-beta | 0.17.0-beta |
Affected products
2- Range: 0.4-beta, cert/v1.0.1, cert/v1.0.2, …
Patches
12fb150c8fe82Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-9gxx-58q6-42p7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-38359ghsaADVISORY
- delvingbitcoin.org/t/dos-disclosure-lnd-onion-bomb/979nvdWEB
- github.com/lightningnetwork/lnd/releases/tag/v0.17.0-betanvdWEB
- github.com/lightningnetwork/lnd/security/advisories/GHSA-9gxx-58q6-42p7nvdWEB
- lightning.networknvdWEB
- morehouse.github.io/lightning/lnd-onion-bombnvdWEB
News mentions
0No linked articles in our index yet.