Bitcoin Foundation
The Bitcoin Foundation was an American organization formerly registered as a nonprofit corporation.
Products
5- 54 CVEs
- 24 CVEs
- 23 CVEs
- 8 CVEs
- 3 CVEs
Recent CVEs
63| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2015-20111 | Cri | 0.57 | 9.8 | 0.01 | Nov 18, 2024 | miniupnp before 4c90b87, as used in Bitcoin Core before 0.12 and other products, lacks checks for snprintf return values, leading to a buffer overflow and significant data leak, a different vulnerability than CVE-2019-12107. In Bitcoin Core before 0.12, remote code execution was… | ||
| CVE-2017-9230 | Hig | 0.49 | 7.5 | 0.03 | May 24, 2017 | The Bitcoin Proof-of-Work algorithm does not consider a certain attack methodology related to 80-byte block headers with a variety of initial 64-byte chunks followed by the same 16-byte chunk, multiple candidate root values ending with the same 4 bytes, and calculations… | ||
| CVE-2024-52911 | Hig | 0.42 | 7.5 | 0.00 | May 5, 2026 | Bitcoin Core through 28.x has a security issue, the details of which are not disclosed. The earliest affected version is 0.14. | ||
| CVE-2025-46597 | Hig | 0.42 | 7.5 | 0.00 | Mar 20, 2026 | Bitcoin Core 0.13.0 through 29.x has an integer overflow. | ||
| CVE-2024-52918 | Med | 0.42 | 6.5 | 0.00 | Nov 18, 2024 | Bitcoin-Qt in Bitcoin Core before 0.20.0 allows remote attackers to cause a denial of service (memory consumption and application crash) via a BIP21 r parameter for a URL that has a large file. | ||
| CVE-2016-10725 | Hig | 0.42 | 7.5 | 0.03 | Jul 5, 2018 | In Bitcoin Core before v0.13.0, a non-final alert is able to block the special "final alert" (which is supposed to override all other alerts) because operations occur in the wrong order. This behavior occurs in the remote network alert system (deprecated since Q1 2016). This… | ||
| CVE-2016-10724 | Hig | 0.42 | 7.5 | 0.02 | Jul 5, 2018 | Bitcoin Core before v0.13.0 allows denial of service (memory exhaustion) triggered by the remote network alert system (deprecated since Q1 2016) if an attacker can sign a message with a certain private key that had been known by unintended actors, because of an infinitely sized… | ||
| CVE-2016-8889 | Med | 0.40 | 6.2 | 0.00 | Oct 28, 2016 | In Bitcoin Knots v0.11.0.ljr20150711 through v0.13.0.knots20160814 (fixed in v0.13.1.knots20161027), the debug console stores sensitive information including private keys and the wallet passphrase in its persistent command history. | ||
| CVE-2024-34149 | Med | 0.34 | 6.3 | 0.00 | Apr 30, 2024 | In Bitcoin Core through 27.0 and Bitcoin Knots before 25.1.knots20231115, tapscript lacks a policy size limit check, a different issue than CVE-2023-50428. NOTE: some parties oppose this new limit check (for example, because they agree with the objective but disagree with the… | ||
| CVE-2025-46598 | Med | 0.27 | 5.3 | 0.00 | Mar 20, 2026 | Bitcoin Core through 29.0 allows a denial of service via a crafted transaction. | ||
| CVE-2021-3401 | 0.01 | — | 0.10 | Feb 4, 2021 | Bitcoin Core before 0.19.0 might allow remote attackers to execute arbitrary code when another application unsafely passes the -platformpluginpath argument to the bitcoin-qt program, as demonstrated by an x-scheme-handler/bitcoin handler for a .desktop file or a web browser.… | |||
| CVE-2025-54605 | 0.00 | — | 0.00 | Oct 28, 2025 | Bitcoin Core through 29.0 allows Uncontrolled Resource Consumption (issue 2 of 2). | |||
| CVE-2024-55563 | 0.00 | — | 0.01 | Dec 9, 2024 | Bitcoin Core through 27.2 allows transaction-relay jamming via an off-chain protocol attack, a related issue to CVE-2024-52913. For example, the outcome of an HTLC (Hashed Timelock Contract) can be changed because a flood of transaction traffic prevents propagation of certain… | |||
| CVE-2024-52922 | 0.00 | — | 0.00 | Nov 18, 2024 | In Bitcoin Core before 25.1, an attacker can cause a node to not download the latest block, because there can be minutes of delay when an announcing peer stalls instead of complying with the peer-to-peer protocol specification. | |||
| CVE-2024-52920 | 0.00 | — | 0.01 | Nov 18, 2024 | Bitcoin Core before 0.20.0 allows remote attackers to cause a denial of service (infinite loop) via a malformed GETDATA message. | |||
| CVE-2024-52919 | 0.00 | — | 0.00 | Nov 18, 2024 | Bitcoin Core before 22.0 has a CAddrMan nIdCount integer overflow and resultant assertion failure (and daemon exit) via a flood of addr messages. | |||
| CVE-2024-52917 | 0.00 | — | 0.00 | Nov 18, 2024 | Bitcoin Core before 22.0 has a miniupnp infinite loop in which it allocates memory on the basis of random data received over the network, e.g., large M-SEARCH replies from a fake UPnP device. | |||
| CVE-2024-52921 | 0.00 | — | 0.00 | Nov 18, 2024 | In Bitcoin Core before 25.0, a peer can affect the download state of other peers by sending a mutated block. | |||
| CVE-2024-52915 | 0.00 | — | 0.01 | Nov 18, 2024 | Bitcoin Core before 0.20.0 allows remote attackers to cause a denial of service (memory consumption) via a crafted INV message. | |||
| CVE-2024-52914 | 0.00 | — | 0.01 | Nov 18, 2024 | In Bitcoin Core before 0.18.0, a node could be stalled for hours when processing the orphans of a crafted unconfirmed transaction. |
- risk 0.57cvss 9.8epss 0.01
miniupnp before 4c90b87, as used in Bitcoin Core before 0.12 and other products, lacks checks for snprintf return values, leading to a buffer overflow and significant data leak, a different vulnerability than CVE-2019-12107. In Bitcoin Core before 0.12, remote code execution was…
- risk 0.49cvss 7.5epss 0.03
The Bitcoin Proof-of-Work algorithm does not consider a certain attack methodology related to 80-byte block headers with a variety of initial 64-byte chunks followed by the same 16-byte chunk, multiple candidate root values ending with the same 4 bytes, and calculations…
- risk 0.42cvss 7.5epss 0.00
Bitcoin Core through 28.x has a security issue, the details of which are not disclosed. The earliest affected version is 0.14.
- risk 0.42cvss 7.5epss 0.00
Bitcoin Core 0.13.0 through 29.x has an integer overflow.
- risk 0.42cvss 6.5epss 0.00
Bitcoin-Qt in Bitcoin Core before 0.20.0 allows remote attackers to cause a denial of service (memory consumption and application crash) via a BIP21 r parameter for a URL that has a large file.
- risk 0.42cvss 7.5epss 0.03
In Bitcoin Core before v0.13.0, a non-final alert is able to block the special "final alert" (which is supposed to override all other alerts) because operations occur in the wrong order. This behavior occurs in the remote network alert system (deprecated since Q1 2016). This…
- risk 0.42cvss 7.5epss 0.02
Bitcoin Core before v0.13.0 allows denial of service (memory exhaustion) triggered by the remote network alert system (deprecated since Q1 2016) if an attacker can sign a message with a certain private key that had been known by unintended actors, because of an infinitely sized…
- risk 0.40cvss 6.2epss 0.00
In Bitcoin Knots v0.11.0.ljr20150711 through v0.13.0.knots20160814 (fixed in v0.13.1.knots20161027), the debug console stores sensitive information including private keys and the wallet passphrase in its persistent command history.
- risk 0.34cvss 6.3epss 0.00
In Bitcoin Core through 27.0 and Bitcoin Knots before 25.1.knots20231115, tapscript lacks a policy size limit check, a different issue than CVE-2023-50428. NOTE: some parties oppose this new limit check (for example, because they agree with the objective but disagree with the…
- risk 0.27cvss 5.3epss 0.00
Bitcoin Core through 29.0 allows a denial of service via a crafted transaction.
- CVE-2021-3401Feb 4, 2021risk 0.01cvss —epss 0.10
Bitcoin Core before 0.19.0 might allow remote attackers to execute arbitrary code when another application unsafely passes the -platformpluginpath argument to the bitcoin-qt program, as demonstrated by an x-scheme-handler/bitcoin handler for a .desktop file or a web browser.…
- CVE-2025-54605Oct 28, 2025risk 0.00cvss —epss 0.00
Bitcoin Core through 29.0 allows Uncontrolled Resource Consumption (issue 2 of 2).
- CVE-2024-55563Dec 9, 2024risk 0.00cvss —epss 0.01
Bitcoin Core through 27.2 allows transaction-relay jamming via an off-chain protocol attack, a related issue to CVE-2024-52913. For example, the outcome of an HTLC (Hashed Timelock Contract) can be changed because a flood of transaction traffic prevents propagation of certain…
- CVE-2024-52922Nov 18, 2024risk 0.00cvss —epss 0.00
In Bitcoin Core before 25.1, an attacker can cause a node to not download the latest block, because there can be minutes of delay when an announcing peer stalls instead of complying with the peer-to-peer protocol specification.
- CVE-2024-52920Nov 18, 2024risk 0.00cvss —epss 0.01
Bitcoin Core before 0.20.0 allows remote attackers to cause a denial of service (infinite loop) via a malformed GETDATA message.
- CVE-2024-52919Nov 18, 2024risk 0.00cvss —epss 0.00
Bitcoin Core before 22.0 has a CAddrMan nIdCount integer overflow and resultant assertion failure (and daemon exit) via a flood of addr messages.
- CVE-2024-52917Nov 18, 2024risk 0.00cvss —epss 0.00
Bitcoin Core before 22.0 has a miniupnp infinite loop in which it allocates memory on the basis of random data received over the network, e.g., large M-SEARCH replies from a fake UPnP device.
- CVE-2024-52921Nov 18, 2024risk 0.00cvss —epss 0.00
In Bitcoin Core before 25.0, a peer can affect the download state of other peers by sending a mutated block.
- CVE-2024-52915Nov 18, 2024risk 0.00cvss —epss 0.01
Bitcoin Core before 0.20.0 allows remote attackers to cause a denial of service (memory consumption) via a crafted INV message.
- CVE-2024-52914Nov 18, 2024risk 0.00cvss —epss 0.01
In Bitcoin Core before 0.18.0, a node could be stalled for hours when processing the orphans of a crafted unconfirmed transaction.