Bitcoin Core
Source repositories
CVEs (54)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2015-20111 | Cri | 0.57 | 9.8 | 0.01 | Nov 18, 2024 | miniupnp before 4c90b87, as used in Bitcoin Core before 0.12 and other products, lacks checks for snprintf return values, leading to a buffer overflow and significant data leak, a different vulnerability than CVE-2019-12107. In Bitcoin Core before 0.12, remote code execution was… | ||
| CVE-2024-52911 | Hig | 0.42 | 7.5 | 0.00 | May 5, 2026 | Bitcoin Core through 28.x has a security issue, the details of which are not disclosed. The earliest affected version is 0.14. | ||
| CVE-2025-46597 | Hig | 0.42 | 7.5 | 0.00 | Mar 20, 2026 | Bitcoin Core 0.13.0 through 29.x has an integer overflow. | ||
| CVE-2024-52918 | Med | 0.42 | 6.5 | 0.00 | Nov 18, 2024 | Bitcoin-Qt in Bitcoin Core before 0.20.0 allows remote attackers to cause a denial of service (memory consumption and application crash) via a BIP21 r parameter for a URL that has a large file. | ||
| CVE-2016-10725 | Hig | 0.42 | 7.5 | 0.03 | Jul 5, 2018 | In Bitcoin Core before v0.13.0, a non-final alert is able to block the special "final alert" (which is supposed to override all other alerts) because operations occur in the wrong order. This behavior occurs in the remote network alert system (deprecated since Q1 2016). This… | ||
| CVE-2016-10724 | Hig | 0.42 | 7.5 | 0.02 | Jul 5, 2018 | Bitcoin Core before v0.13.0 allows denial of service (memory exhaustion) triggered by the remote network alert system (deprecated since Q1 2016) if an attacker can sign a message with a certain private key that had been known by unintended actors, because of an infinitely sized… | ||
| CVE-2024-34149 | Med | 0.34 | 6.3 | 0.00 | Apr 30, 2024 | In Bitcoin Core through 27.0 and Bitcoin Knots before 25.1.knots20231115, tapscript lacks a policy size limit check, a different issue than CVE-2023-50428. NOTE: some parties oppose this new limit check (for example, because they agree with the objective but disagree with the… | ||
| CVE-2025-46598 | Med | 0.27 | 5.3 | 0.00 | Mar 20, 2026 | Bitcoin Core through 29.0 allows a denial of service via a crafted transaction. | ||
| CVE-2021-3401 | 0.01 | — | 0.10 | Feb 4, 2021 | Bitcoin Core before 0.19.0 might allow remote attackers to execute arbitrary code when another application unsafely passes the -platformpluginpath argument to the bitcoin-qt program, as demonstrated by an x-scheme-handler/bitcoin handler for a .desktop file or a web browser.… | |||
| CVE-2025-54605 | 0.00 | — | 0.00 | Oct 28, 2025 | Bitcoin Core through 29.0 allows Uncontrolled Resource Consumption (issue 2 of 2). | |||
| CVE-2024-55563 | 0.00 | — | 0.01 | Dec 9, 2024 | Bitcoin Core through 27.2 allows transaction-relay jamming via an off-chain protocol attack, a related issue to CVE-2024-52913. For example, the outcome of an HTLC (Hashed Timelock Contract) can be changed because a flood of transaction traffic prevents propagation of certain… | |||
| CVE-2024-52922 | 0.00 | — | 0.00 | Nov 18, 2024 | In Bitcoin Core before 25.1, an attacker can cause a node to not download the latest block, because there can be minutes of delay when an announcing peer stalls instead of complying with the peer-to-peer protocol specification. | |||
| CVE-2024-52914 | 0.00 | — | 0.01 | Nov 18, 2024 | In Bitcoin Core before 0.18.0, a node could be stalled for hours when processing the orphans of a crafted unconfirmed transaction. | |||
| CVE-2024-52920 | 0.00 | — | 0.01 | Nov 18, 2024 | Bitcoin Core before 0.20.0 allows remote attackers to cause a denial of service (infinite loop) via a malformed GETDATA message. | |||
| CVE-2024-52913 | 0.00 | — | 0.00 | Nov 18, 2024 | In Bitcoin Core before 0.21.0, an attacker could prevent a node from seeing a specific unconfirmed transaction, because transaction re-requests are mishandled. | |||
| CVE-2024-52917 | 0.00 | — | 0.00 | Nov 18, 2024 | Bitcoin Core before 22.0 has a miniupnp infinite loop in which it allocates memory on the basis of random data received over the network, e.g., large M-SEARCH replies from a fake UPnP device. | |||
| CVE-2024-52919 | 0.00 | — | 0.00 | Nov 18, 2024 | Bitcoin Core before 22.0 has a CAddrMan nIdCount integer overflow and resultant assertion failure (and daemon exit) via a flood of addr messages. | |||
| CVE-2024-52921 | 0.00 | — | 0.00 | Nov 18, 2024 | In Bitcoin Core before 25.0, a peer can affect the download state of other peers by sending a mutated block. | |||
| CVE-2024-52915 | 0.00 | — | 0.01 | Nov 18, 2024 | Bitcoin Core before 0.20.0 allows remote attackers to cause a denial of service (memory consumption) via a crafted INV message. | |||
| CVE-2024-52912 | 0.00 | — | 0.01 | Nov 18, 2024 | Bitcoin Core before 0.21.0 allows a network split that is resultant from an integer overflow (calculating the time offset for newly connecting peers) and an abs64 logic bug. |
- risk 0.57cvss 9.8epss 0.01
miniupnp before 4c90b87, as used in Bitcoin Core before 0.12 and other products, lacks checks for snprintf return values, leading to a buffer overflow and significant data leak, a different vulnerability than CVE-2019-12107. In Bitcoin Core before 0.12, remote code execution was…
- risk 0.42cvss 7.5epss 0.00
Bitcoin Core through 28.x has a security issue, the details of which are not disclosed. The earliest affected version is 0.14.
- risk 0.42cvss 7.5epss 0.00
Bitcoin Core 0.13.0 through 29.x has an integer overflow.
- risk 0.42cvss 6.5epss 0.00
Bitcoin-Qt in Bitcoin Core before 0.20.0 allows remote attackers to cause a denial of service (memory consumption and application crash) via a BIP21 r parameter for a URL that has a large file.
- risk 0.42cvss 7.5epss 0.03
In Bitcoin Core before v0.13.0, a non-final alert is able to block the special "final alert" (which is supposed to override all other alerts) because operations occur in the wrong order. This behavior occurs in the remote network alert system (deprecated since Q1 2016). This…
- risk 0.42cvss 7.5epss 0.02
Bitcoin Core before v0.13.0 allows denial of service (memory exhaustion) triggered by the remote network alert system (deprecated since Q1 2016) if an attacker can sign a message with a certain private key that had been known by unintended actors, because of an infinitely sized…
- risk 0.34cvss 6.3epss 0.00
In Bitcoin Core through 27.0 and Bitcoin Knots before 25.1.knots20231115, tapscript lacks a policy size limit check, a different issue than CVE-2023-50428. NOTE: some parties oppose this new limit check (for example, because they agree with the objective but disagree with the…
- risk 0.27cvss 5.3epss 0.00
Bitcoin Core through 29.0 allows a denial of service via a crafted transaction.
- CVE-2021-3401Feb 4, 2021risk 0.01cvss —epss 0.10
Bitcoin Core before 0.19.0 might allow remote attackers to execute arbitrary code when another application unsafely passes the -platformpluginpath argument to the bitcoin-qt program, as demonstrated by an x-scheme-handler/bitcoin handler for a .desktop file or a web browser.…
- CVE-2025-54605Oct 28, 2025risk 0.00cvss —epss 0.00
Bitcoin Core through 29.0 allows Uncontrolled Resource Consumption (issue 2 of 2).
- CVE-2024-55563Dec 9, 2024risk 0.00cvss —epss 0.01
Bitcoin Core through 27.2 allows transaction-relay jamming via an off-chain protocol attack, a related issue to CVE-2024-52913. For example, the outcome of an HTLC (Hashed Timelock Contract) can be changed because a flood of transaction traffic prevents propagation of certain…
- CVE-2024-52922Nov 18, 2024risk 0.00cvss —epss 0.00
In Bitcoin Core before 25.1, an attacker can cause a node to not download the latest block, because there can be minutes of delay when an announcing peer stalls instead of complying with the peer-to-peer protocol specification.
- CVE-2024-52914Nov 18, 2024risk 0.00cvss —epss 0.01
In Bitcoin Core before 0.18.0, a node could be stalled for hours when processing the orphans of a crafted unconfirmed transaction.
- CVE-2024-52920Nov 18, 2024risk 0.00cvss —epss 0.01
Bitcoin Core before 0.20.0 allows remote attackers to cause a denial of service (infinite loop) via a malformed GETDATA message.
- CVE-2024-52913Nov 18, 2024risk 0.00cvss —epss 0.00
In Bitcoin Core before 0.21.0, an attacker could prevent a node from seeing a specific unconfirmed transaction, because transaction re-requests are mishandled.
- CVE-2024-52917Nov 18, 2024risk 0.00cvss —epss 0.00
Bitcoin Core before 22.0 has a miniupnp infinite loop in which it allocates memory on the basis of random data received over the network, e.g., large M-SEARCH replies from a fake UPnP device.
- CVE-2024-52919Nov 18, 2024risk 0.00cvss —epss 0.00
Bitcoin Core before 22.0 has a CAddrMan nIdCount integer overflow and resultant assertion failure (and daemon exit) via a flood of addr messages.
- CVE-2024-52921Nov 18, 2024risk 0.00cvss —epss 0.00
In Bitcoin Core before 25.0, a peer can affect the download state of other peers by sending a mutated block.
- CVE-2024-52915Nov 18, 2024risk 0.00cvss —epss 0.01
Bitcoin Core before 0.20.0 allows remote attackers to cause a denial of service (memory consumption) via a crafted INV message.
- CVE-2024-52912Nov 18, 2024risk 0.00cvss —epss 0.01
Bitcoin Core before 0.21.0 allows a network split that is resultant from an integer overflow (calculating the time offset for newly connecting peers) and an abs64 logic bug.
Page 1 of 3