The Bitcoin Core team has rectified a memory safety-related bug. A significant portion of nodes still operates with vulnerable software.
A new high severity level advisory has been posted:https://t.co/zBboOF1IJC
— Bitcoin Core Project (@bitcoincoreorg) May 5, 2026
The bug was discovered by researcher Cory Fields, who reported it on November 2, 2024.
A few days later, programmer Pieter Wuille released a covert patch: to avoid attracting the attention of malicious actors, the patch was issued under a neutral name—as a routine debugging improvement for parallel script verification.
The fix was incorporated into the codebase in December 2024 and included in the Bitcoin Core 29.0 release in April 2025. The last vulnerable 28.x branch reached the end of its lifecycle on April 19, 2026—only then did developers disclose the details.
Bitcoin Core emphasized that the vulnerability did not affect the blockchain’s consensus rules and was solely related to local memory handling in node software.
Nature of the Issue
The vulnerability was the first memory safety bug in Bitcoin Core’s history. Under certain conditions, a miner could create a specially crafted invalid block that would crash the victim’s node during parallel script verification.
Theoretically, the issue also opened a path to remote code execution during incorrect memory states. Bitcoin Core deemed such a scenario unlikely due to block format constraints but assessed the risk as high.
The attack was mitigated by a simple economic factor: exploiting the vulnerability would require an attacker to expend real hashrate on mining invalid blocks without receiving a reward.
Developers have fixed the bug, but a significant portion of the network has yet to update. According to Clark Moody, about 43% of Bitcoin nodes still run on older client versions.
In April, programmers demonstrated Bitcoin consensus vulnerabilities.