@@ -18,14 +18,74 @@ as well as provides a summary of historical Security Advisories.
1818When reported, a vulnerability will be assigned a severity category. We
1919differentiate between 4 classes of vulnerabilities:
2020
21- * ** Low** : bugs which are hard to exploit or have a low impact. For instance
22- a wallet bug which requires access to the victim's machine.
21+ ### Critical
2322
24- * ** Medium** : bugs with limited impact. For instance a local network remote crash.
23+ Bugs that threaten the fundamental security and integrity of the entire Bitcoin
24+ network. These are bugs that allow for coin theft at the protocol level, the
25+ creation of coins outside of the specified issuance schedule, or permanent,
26+ network-wide chain splits.
2527
26- * ** High** : bugs with significant impact. For instance a remote crash, or a local network RCE.
28+ Examples:
29+ * A bug allowing inflating the money supply by spending the same transaction
30+ output twice within a block ([ CVE-2018 -17144] ( /en/2018/09/20/notice/ ) ).
31+ * A consensus failure where nodes running older software rejected a block that
32+ newer software accepted due to an underlying database limit, causing a
33+ network-wide chain split ([ BIP
34+ 50] ( https://github.com/bitcoin/bips/blob/master/bip-0050.mediawiki ) ).
2735
28- * ** Critical** : bugs which threaten the whole network's integrity. For instance an inflation or coin theft bug.
36+ ### High
37+
38+ Bugs with a significant impact on affected nodes or the network. These are
39+ typically exploitable remotely under default configurations and can cause
40+ widespread disruption.
41+
42+ Examples:
43+ * A remotely triggerable crash that could take many nodes offline
44+ ([ CVE-2024 -35202] ( /en/2024/10/08/disclose-blocktxn-crash/ ) ).
45+ * A denial-of-service attack that causes a node to stall for an extended
46+ period, preventing it from processing new transactions and blocks
47+ ([ CVE-2024 -52914] ( /en/2024/07/03/disclose-orphan-dos/ ) ).
48+ * A memory exhaustion vulnerability that could be triggered remotely to crash
49+ nodes by having them store an excessive amount of block headers
50+ ([ CVE-2019 -25220] ( /en/2024/09/18/disclose-headers-oom/ ) ).
51+
52+ ### Medium
53+
54+ Bugs that can noticeably degrade the network's or a node's performance or
55+ functionality, but are limited in their scope or exploitability. These might
56+ require special conditions to trigger, such as non-default settings, or result
57+ in service degradation rather than a complete node failure.
58+
59+ Examples:
60+ * A potential Remote Code Execution (RCE) vulnerability on the local network
61+ that is only exploitable if a non-default feature like UPnP is enabled
62+ ([ CVE-2015 -20111] ( /en/2024/07/03/disclose_upnp_rce/ ) ).
63+ * A peer could hinder block propagation by sending mutated blocks, delaying the
64+ reception of new blocks for a node
65+ ([ CVE-2024 -52921] ( /en/2024/10/08/disclose-mutated-blocks-hindering-propagation/ ) ).
66+ * An attacker announcing a block to a node and then failing to provide it,
67+ causing the victim node to wait for up to 10 minutes before being able to
68+ fetch it from another peer
69+ ([ CVE-2024 -52922] ( /en/2024/11/05/cb-stall-hindering-propagation/ ) ).
70+
71+ ### Low
72+
73+ Bugs that are challenging to exploit or have a minor impact on a node's
74+ operation. They might only be triggerable under non-default configurations or
75+ from the local network, and do not pose an immediate or widespread threat.
76+
77+ Examples:
78+ * A malformed ` getdata ` message could cause a peer connection to enter an
79+ infinite loop, consuming CPU but not affecting the node's ability to process
80+ blocks or handle other peer connections
81+ ([ CVE-2024 -52920] ( /en/2024/07/03/disclose-getdata-cpu/ ) ).
82+ * A bug in a dependency that could crash a node, but only if a non-default
83+ feature like UPnP is enabled
84+ ([ CVE-2024 -52917] ( /en/2024/07/31/disclose-upnp-oom/ ) ).
85+ * A bug that could crash a node, but is extremely difficult to exploit
86+ ([ CVE-2024 -52919] ( /en/2025/04/28/disclose-cve-2024-52919/ ) ).
87+
88+ ---
2989
3090** Low** severity bugs will be disclosed 2 weeks after a fixed version exists on the current major release branch.
3191 A pre-announcement will be made at the same time as the release.
0 commit comments