You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
-**Disclosure of four low-severity vulnerabilities in Bitcoin Core:**
19
-
Antoine Poinsot recently [posted][poinsot disc] to the Bitcoin-Dev mailing list four Bitcoin Core security advisories for low severity
20
-
vulnerabilities that were fixed in [Bitcoin Core 30.0][]. According to the
21
-
[disclosure policy][disc pol], a low-severity vulnerability is disclosed two
22
-
weeks after the release of a major version containing the fix. The four
23
-
disclosed vulnerabilities are the following:
24
-
25
-
-[CVE-2025-54604][]: Disk filling from spoofed self connections. This bug
26
-
would allow an attacker to fill up the disk space of a victim node by faking
27
-
self-connections.
28
-
29
-
-[CVE-2025-54605][]: Disk filling from invalid blocks. This bug would allow
30
-
an attacker to fill up the disk space of a victim node by repeatedly sending
31
-
invalid blocks. This bug was disclosed responsibly by Niklas Goegge in May 2022 and also independently by Eugene Siegel. Eugene Siegel and Niklas Goegge merged the mitigation in July 2025.
32
-
33
-
-[CVE-2025-46597][]: Highly unlikely remote crash on 32-bit systems. This bug
34
-
may cause a node to crash when receiving a pathological block in a rare
35
-
edge case. This bug was disclosed responsibly by Pieter Wuille in April 2025. Antoine Poinsot implemented and merged the mitigation in June 2025.
36
-
37
-
-[CVE-2025-46598][]: CPU DoS from unconfirmed transaction processing. This
19
+
Antoine Poinsot recently [posted][poinsot disc] to the Bitcoin-Dev mailing
20
+
list four Bitcoin Core security advisories for low-severity vulnerabilities
21
+
that were fixed in Bitcoin Core 30.0. According to the [disclosure
22
+
policy][disc pol] (see [Newsletter #306][news306 disclosures]), a
23
+
low-severity vulnerability is disclosed two weeks after the release of a major
24
+
version containing the fix. The four disclosed vulnerabilities are the
25
+
following:
26
+
27
+
-[Disk filling from spoofed self connections][CVE-2025-54604]: This bug would
28
+
allow an attacker to fill up the disk space of a victim node by faking
29
+
self-connections. The vulnerability was [disclosed responsibly][topic
30
+
responsible disclosures] by Niklas Gögge in March 2022. Eugene Siegel and
31
+
Niklas Gögge merged a mitigation in July 2025.
32
+
33
+
-[Disk filling from invalid blocks][CVE-2025-54605]: This bug would allow an
34
+
attacker to fill up the disk space of a victim node by repeatedly sending
35
+
invalid blocks. This bug was disclosed responsibly by Niklas Gögge in May
36
+
2022 and also independently by Eugene Siegel in March 2025. Eugene Siegel
37
+
and Niklas Gögge merged the mitigation in July 2025.
38
+
39
+
-[Highly unlikely remote crash on 32-bit systems][CVE-2025-46597]: This bug may cause a
40
+
node to crash when receiving a pathological block in a rare edge case. This
41
+
bug was disclosed responsibly by Pieter Wuille in April 2025. Antoine
42
+
Poinsot implemented and merged the mitigation in June 2025.
43
+
44
+
-[CPU DoS from unconfirmed transaction processing][CVE-2025-46598]: This
38
45
bug would cause resource exhaustion when processing an unconfirmed
39
-
transaction. Patches for the first three vulnerabilities have also been included
40
-
in [Bitcoin Core 29.1][] and later minor releases.
46
+
transaction. This bug was
47
+
reported to the mailing list by Antoine Poinsot in April 2025. Pieter
48
+
Wuille, Anthony Towns, and Antoine Poinsot implemented and merged the
49
+
mitigation in August 2025.
50
+
51
+
Patches for the first three vulnerabilities have also been
52
+
included in Bitcoin Core 29.1 and later minor releases.
41
53
42
54
## Selected Q&A from Bitcoin Stack Exchange
43
55
@@ -147,13 +159,12 @@ repo], and [BINANAs][binana repo]._
147
159
{% include linkers/issues.md v=2 issues="29640,8400,3173,10280,5516,2006,1975" %}
0 commit comments