Bitcoin Core patched memory bug; 43% of nodes still exposed

Bitcoin Core developers patched a high‑severity memory safety bug in December 2024 that affected releases from 0.14.0 through the 28.x series. The flaw, tracked as CVE-2024-52911, could allow a miner to publish specially crafted invalid blocks that crash other nodes and, in abnormal memory states after a crash, potentially enable remote code execution.

The defect was discovered by Cory Fields of the MIT Digital Currency Initiative and privately reported on November 2, 2024. Four days later, developer Pieter Wuille submitted a low‑visibility fix under the commit title “Improve parallel script validation error debug logging.” The change was merged in December 2024 and included in Bitcoin Core 29.0, released in April 2025. The project withheld public disclosure until the 28.x release line reached end of life on April 19, 2026, and posted the advisory on May 5, 2026.

Technically, the bug is a use‑after‑free error during script validation. In normal operation it can cause a node process to abort. In rare circumstances, the abnormal memory state that follows such an abort can be used to run arbitrary code, although Bitcoin Core developers said the structure and checks of block data make that outcome unlikely.

Exploitation required a miner to expend real proof‑of‑work creating invalid blocks, with no possibility of earning the associated block reward. That cost would make attempts expensive for an attacker.

An estimate based on a widely used node dashboard indicates about 43% of reachable Bitcoin nodes are still running pre‑v29 releases and therefore remain exposed to the issue. Operators who have not upgraded could see their nodes crash if a miner attempted the attack, which could disrupt peers that rely on those nodes for validation and relaying.

Developer Niklas Gögge noted on X that the advisory represents “the first ever memory safety issue” in roughly two years of the project's public security notices and credited Cory Fields for responsible private disclosure.

Developers emphasized the bug did not change consensus rules or on‑chain behavior; it was limited to node software memory handling. Node operators are advised to run Bitcoin Core 29.0 or later to obtain the memory safety fixes.

The disclosure comes amid other technical work on Bitcoin infrastructure, including a proposal to phase out legacy signature types and a separate research idea intended to protect long‑dormant early coins without forcing large‑scale address migration.