TL;DR:
- Bitcoin Core silently patched CVE-2024-52911, its first memory security bug, before publicly disclosing it this week.
- The flaw affected all versions from 0.14.0 through 28.x and allowed a miner to remotely crash nodes with invalid blocks.
- Around 43% of active nodes would still be running software prior to version 29.0, leaving them exposed.
Bitcoin CoreĀ secretly patched the first memory security vulnerability in the project’s history, months before publicly disclosing it. The flaw, catalogued asĀ CVE-2024-52911Ā and classified as high severity, affected all software versions betweenĀ 0.14.0 and 28.x, and created the possibility that a maliciousĀ minerĀ couldĀ remotely crash third-party nodesĀ through specially crafted invalid blocks.
The bug corresponds to aĀ *use-after-free*Ā vulnerability in the script validation engine. During block validation, precalculated data stored in cacheĀ could be destroyed while a background validation thread was still reading it. Given the underlying mechanism, the exploit not only enabled an abrupt node shutdown, but also left open ā though unlikely āĀ the possibility of remote code execution during the resulting abnormal memory state.
Bitcoin Core: A Silent Patch that Protected the Network
Cory Fields, a researcher at the MIT Digital Currency Initiative,Ā discovered the vulnerability andĀ privatelyĀ reported it on November 2, 2024. Four days later, Bitcoin Core developerĀ Pieter WuilleĀ implemented a covert fix, deliberately titled “Improve parallel script validation error debug logging” to avoid alerting potential attackers. The fix was incorporated into the repository in December 2024 and distributed with Bitcoin Core v29.0 in April 2025.
Public disclosure only took place once the 28.x version line reached end of life on April 19, 2026. Developer Niklas Gƶgge noted that this is theĀ first memory security issueĀ recorded in approximately two years of the project’s public security advisory history, andĀ acknowledged Fields’ responsible disclosure.
Why Was There No Exploit?
The deterrent element built into the attack vector also deserves attention: any miner attempting to exploit itĀ would have needed to burn real hashpower on invalid blocks with noĀ rewardĀ whatsoeverĀ ā a guaranteed loss that likely explains why the vulnerability remained dormant in practice.
Bitcoin’s consensus rules were not affected at any point, as the bug was confined to the node software’s memory handling. However, based on estimates from Clark Moody’s dashboard,Ā around 43% of active nodes would still be running versions prior to v29.0 and would remain exposed.
