{"id":96882,"date":"2026-05-06T17:56:06","date_gmt":"2026-05-06T14:56:06","guid":{"rendered":"https:\/\/forklog.com\/en\/?p=96882"},"modified":"2026-05-06T18:00:15","modified_gmt":"2026-05-06T15:00:15","slug":"bitcoin-core-developers-address-critical-vulnerability","status":"publish","type":"post","link":"https:\/\/forklog.com\/en\/bitcoin-core-developers-address-critical-vulnerability\/","title":{"rendered":"Bitcoin Core Developers Address Critical Vulnerability"},"content":{"rendered":"<p>The Bitcoin Core team has rectified a memory safety-related bug. A significant portion of nodes still operates with vulnerable software.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">A new high severity level advisory has been posted:<a href=\"https:\/\/t.co\/zBboOF1IJC\">https:\/\/t.co\/zBboOF1IJC<\/a><\/p>\n<p>\u2014 Bitcoin Core Project (@bitcoincoreorg) <a href=\"https:\/\/twitter.com\/bitcoincoreorg\/status\/2051644544098107695?ref_src=twsrc%5Etfw\">May 5, 2026<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>The bug was discovered by researcher Cory Fields, who reported it on November 2, 2024.<\/p>\n<p>A few days later, programmer Pieter Wuille released a covert patch: to avoid attracting the attention of malicious actors, the patch was issued under a neutral name\u2014as a routine debugging improvement for parallel script verification.<\/p>\n<p>The fix was incorporated into the codebase in December 2024 and included in the Bitcoin Core 29.0 release in April 2025. The last vulnerable 28.x branch reached the end of its lifecycle on April 19, 2026\u2014only then did developers disclose the details.<\/p>\n<p>Bitcoin Core emphasized that the vulnerability did not affect the blockchain&#8217;s consensus rules and was solely related to local memory handling in node software.<\/p>\n<h2 class=\"wp-block-heading\">Nature of the Issue<\/h2>\n<p>The vulnerability was the first memory safety bug in Bitcoin Core&#8217;s history. Under certain conditions, a miner could create a specially crafted invalid block that would crash the victim&#8217;s node during parallel script verification.<\/p>\n<p>Theoretically, the issue also opened a path to remote code execution during incorrect memory states. Bitcoin Core deemed such a scenario unlikely due to block format constraints but assessed the risk as high.<\/p>\n<p>The attack was mitigated by a simple economic factor: exploiting the vulnerability would require an attacker to expend real <a href=\"https:\/\/forklog.com\/en\/news\/what-are-hashrate-and-mining-difficulty-in-cryptocurrencies\">hashrate<\/a> on <a href=\"https:\/\/forklog.com\/en\/news\/how-bitcoin-mining-works\">mining<\/a> invalid blocks without receiving a reward.<\/p>\n<p>Developers have fixed the bug, but a significant portion of the network has yet to update. According to <a href=\"https:\/\/dashboard.clarkmoody.com\/\">Clark Moody<\/a>, about 43% of Bitcoin nodes still run on older client versions.<\/p>\n<p>In April, programmers <a href=\"https:\/\/forklog.com\/en\/news\/bitcoin-core-to-showcase-bitcoin-consensus-vulnerabilities\">demonstrated<\/a> Bitcoin consensus vulnerabilities.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Bitcoin Core has fixed a memory safety-related bug. A significant portion of nodes still operates with vulnerable software.<\/p>\n","protected":false},"author":1,"featured_media":96883,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"1","news_style_id":"1","cryptorium_level":"","_short_excerpt_text":"Bitcoin Core fixed a memory safety bug; many nodes remain vulnerable.","creation_source":"","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[3],"tags":[18,143],"class_list":["post-96882","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-and-analysis","tag-bitcoin","tag-bitcoin-core"],"aioseo_notices":[],"amp_enabled":true,"views":"2","promo_type":"1","layout_type":"1","short_excerpt":"Bitcoin Core fixed a memory safety bug; many nodes remain vulnerable.","is_update":"","_links":{"self":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/96882","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/comments?post=96882"}],"version-history":[{"count":1,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/96882\/revisions"}],"predecessor-version":[{"id":96884,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/96882\/revisions\/96884"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media\/96883"}],"wp:attachment":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media?parent=96882"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/categories?post=96882"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/tags?post=96882"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}