Developers of the most popular bitcoin software implementation, Bitcoin Core, have revealed a now-fixed high-severity bug that could have affected the most critical part of the network – nodes.
According to the developers, an attacker could have crashed victim nodes, cutting them off from the network, or even used the crash to execute code on the victim's device remotely.
However, due to the high costs of this type of attack, as an attacker would need to secure substantial bitcoin mining capacity, the economic barrier was so high that it was impractical to weaponize the bug. It existed for about 8 years, from Bitcoin Core version 0.14.0 through 29.0. The most recent version of this software is 31.0, released this past April.
"We've been publishing Bitcoin Core security advisories for ~2 years now, and (afaik) we just disclosed the first ever memory safety issue: A use-after-free in the validation engine," developer Niklas Gögge said. A "use-after-free" bug is a flaw where a program tries to access a piece of memory it has already discarded.
This specific bug in Bitcoin Core was discovered by developer Cory Fields and reported in November 2024, while the fix was released with the 29.0 version of the software in April 2025. According to the Bitcoin Core policy, medium- and high-severity vulnerabilities are disclosed approximately 1 year after a major version containing the fix is first released.
High-severity bugs are considered those that could significantly impact nodes or the network.
"These are typically exploitable remotely under default configurations and can cause widespread disruption," the policy reads. Bitcoin nodes are programs that help store copies of the bitcoin blockchain, validate BTC transactions and blocks, and relay them to other nodes on the network.
The recent bug was not the first related to the ability to crash a node. A previous disclosure in October 2025 involved "a rare edge case" and was marked as low severity.
For now, 25 advisories have been announced in total.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked