Medium severity6.5OSV Advisory· Published Jun 20, 2024· Updated Jun 17, 2026
CVE-2024-38359
CVE-2024-38359
Description
The Lightning Network Daemon (lnd) - is a complete implementation of a Lightning Network node. A parsing vulnerability in lnd's onion processing logic and lead to a DoS vector due to excessive memory allocation. The issue was patched in lnd v0.17.0. Users should update to a version > v0.17.0 to be protected. Users unable to upgrade may set the --rejecthtlc CLI flag and also disable forwarding on channels via the UpdateChanPolicyCommand, or disable listening on a public network interface via the --nolisten flag as a mitigation.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/lightningnetwork/lndGo | < 0.17.0-beta | 0.17.0-beta |
Affected products
2- Range: 0.4-beta, cert/v1.0.1, cert/v1.0.2, …
Patches
Vulnerability mechanics
References
7- github.com/advisories/GHSA-9gxx-58q6-42p7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-38359ghsaADVISORY
- delvingbitcoin.org/t/dos-disclosure-lnd-onion-bomb/979nvdWEB
- github.com/lightningnetwork/lnd/releases/tag/v0.17.0-betanvdWEB
- github.com/lightningnetwork/lnd/security/advisories/GHSA-9gxx-58q6-42p7nvdWEB
- lightning.networknvdWEB
- morehouse.github.io/lightning/lnd-onion-bombnvdWEB
News mentions
0No linked articles in our index yet.