Bitcoin Core miner remote execution code vulnerability: 43% of nodes not upgraded

Reported by Protos on May 5, Bitcoin Core developers publicly disclosed a high-severity vulnerability, CVE-2024-52911, on the official website. The vulnerability allows miners to mine specially crafted blocks, remotely crash other users’ nodes, and execute code under certain conditions. Since Bitcoin full-node upgrades are voluntary, it is currently estimated that about 43% of nodes are still running the vulnerable older software.

Vulnerability technical details

According to the Bitcoin Core official announcement and Protos’ report on May 5, CVE-2024-52911 is a “use-after-free” memory safety vulnerability found in Bitcoin Core’s parallel script verification mechanism. During block validation, Bitcoin Core precomputes and caches transaction input data, then dispatches script verification work to a backend thread. If the backend script verification thread reads cached data that has been destroyed by CScriptCheck, remote code execution may occur.

Bitcoin Core developer Niklas Gögge said this is the first “memory safety” vulnerability in Bitcoin Core’s history. Bitcoin Core’s official announcement confirmed that Bitcoin’s consensus rules have not changed as a result of the vulnerability being fixed.

According to Protos, carrying out this attack requires miners to devote a large amount of computing power to mining invalid blocks that cannot obtain block rewards, making the cost extremely high. As a result, the Bitcoin Core official announcement believes the vulnerability was likely never actually used in history.

Responsible disclosure timeline

According to the Bitcoin Core official announcement and Protos’ report on May 5, the disclosure timeline for CVE-2024-52911 is as follows:

November 2024: Developer Cory Fields discovered the vulnerability and reported it privately

November 2024 (four days after discovery): Pieter Wuille submitted a patch proposal PR #31112

December 2024: PR #31112 merged into production

April 2025: Bitcoin Core v29.0 was released, including the patch

April 19, 2026: Maintenance ended for the last affected version series (28.x)

May 5, 2026: Bitcoin Core publicly disclosed the vulnerability on its official website

Current patch status

According to Protos’ report on May 5, because Bitcoin full-node upgrades are voluntary and updates do not automatically run, it is currently estimated that about 43% of Bitcoin nodes are still running vulnerable versions prior to v29.0. Bitcoin Core recommends that node operators upgrade to v29.0 or a newer version.

Frequently asked questions

What is the impact of CVE-2024-52911 on Bitcoin nodes?

According to the Bitcoin Core official announcement, CVE-2024-52911 allows miners to mine specially crafted blocks to remotely crash nodes running Bitcoin Core versions 0.14.1 to 28.4, and execute remote code under certain conditions. Bitcoin’s consensus rules have not changed as a result of the vulnerability being fixed.

How should node operators respond to CVE-2024-52911?

The versions affected by CVE-2024-52911 are Bitcoin Core 0.14.1 to 28.4. Node operators should upgrade to v29.0 or a newer version. The last affected 28.x version series stopped being maintained on April 19, 2026.

Has CVE-2024-52911 ever been actually exploited?

According to the Bitcoin Core official announcement and Protos’ report on May 5, this attack requires miners to devote a large amount of computing power to mining invalid blocks that cannot obtain block rewards, making the cost extremely high. Bitcoin Core believes the vulnerability was likely never actually used in history.