From mboxrd@z Thu Jan 1 00:00:00 1970 Delivery-date: Tue, 05 May 2026 17:26:33 -0700 Received: from mail-oi1-f189.google.com ([209.85.167.189]) by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1wKQ5w-00032X-Qk for bitcoindev@gnusha.org; Tue, 05 May 2026 17:26:33 -0700 Received: by mail-oi1-f189.google.com with SMTP id 5614622812f47-47bcb08890asf8742710b6e.0 for ; Tue, 05 May 2026 17:26:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20251104; t=1778027186; x=1778631986; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-sender:mime-version :subject:references:in-reply-to:message-id:to:from:date:sender:from :to:cc:subject:date:message-id:reply-to; bh=AKdw1q1qD1rOpSnAfoz8+5KDn8XfNB2JJ9BAxYsEBU8=; b=AUn0QXY3azuq50BTVsBeBQGXHHNeiG7sZ/7D5yT+BFKUL4+VBtNPYspfGoU/Tc2kiK lDOf/YZf7AqVVKd9XNYDYZiQS12BjQpeWUKLSHioMjO8Dd+wZmw3GAEg9CiDt/Fqq9km DvLeVxz32SmoWVLjFr8/MlKY35MdBKNNONZzJGh6oXocO4fH8REwLu3GlMFLfKgCN2R8 sd0mMgjbY9x3q7nC+de4taSdhJkPilYG4+8MomK+9jlsRDGquUwjrLsZekl88gI+zpYN H0DapmCBxAnFvZ4SCgNU0oyw/nKjouqt+xEJrw3fUuDR61T1Pk8ZKsmD+rBq0SktSx0b YT1A== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1778027186; x=1778631986; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-sender:mime-version :subject:references:in-reply-to:message-id:to:from:date:from:to:cc :subject:date:message-id:reply-to; bh=AKdw1q1qD1rOpSnAfoz8+5KDn8XfNB2JJ9BAxYsEBU8=; b=DW6fbeDivlpMT8Hm8TdLllPrJOVwBL6npJxhwQ/Z/RtjCtplf19b/xvXLyZejgQuIP S0+i6FOcyWcCUiZbiD8omHwYVhZmZjQeULK19ru7v5d+468YIi5PoLhIOL6EvZji2azf Y5JpY1vKk0oYCVTMmB1O6Ppbw109mDrQx1Ryfylpqm9JO7G6vKbRRU5YFW3MuFqzpfYC khnrhWx4Oeia8UiDYDVLl1p/CKjkyLzLHOH/iXe8pKtznUpbZYHuYZirf3pkqVtldb3h hkWfYPZgtEKpAXSXXEIr3JSv70PqkrfTweo9yvoMd33WWE+Ln0bvm9za3eANuIeMToH+ e4mw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778027186; x=1778631986; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-sender:mime-version :subject:references:in-reply-to:message-id:to:from:date:x-beenthere :x-gm-message-state:sender:from:to:cc:subject:date:message-id :reply-to; bh=AKdw1q1qD1rOpSnAfoz8+5KDn8XfNB2JJ9BAxYsEBU8=; b=Pk7zdk2nkYHjQeLpDVDhYpFJ0sh/LEe5I07Qsh7YrTGeUiOjxoo/tI3ubI5McW2F4d DoG6YJ+r7pceuGF5CcE/U9USTepfi/HX/yU9kjqGPsJ3B1zytouxAzLpKEx4EZCMSqg/ DPH+Kd6KogIYRa/z1bZB75AdikxsJBRudIW+n4Q3dEswdm4d7Pf99FiYiI7P+wZAAB74 TAQvTBLlPzGGZfuO9Bf10n/RKPu3m2zPm3dQHe00SiagFwSy/AHvNU3aKROz5VD10TYC YrO/R/EMKFFnv42KdJwAhaNenlVAXFHCBAnma78D7rUrgWij6RQyS/sGbzNfh1Dpu+9w nlSQ== Sender: bitcoindev@googlegroups.com X-Forwarded-Encrypted: i=1; AFNElJ+N8/vQ+2bZscRTVmxVBHeOPs9RCqfGJVyFCA42NUyG6iv+qyk5vEHb1C0FJPke93g3NIwWszKleXjJ@gnusha.org X-Gm-Message-State: AOJu0Ywhd5f643lsMNX+8T92WqDCxgBZmPgiHkD4LI+BVd0Q3uwvwviO CxopgLZiRx1eQEWZLtGDu8CL2b2sd0rDGgo9MCcd7bl7XY0pgE3D4kEG X-Received: by 2002:a05:6808:23d1:b0:47b:ccf2:91e1 with SMTP id 5614622812f47-48042264010mr852696b6e.21.1778027186155; Tue, 05 May 2026 17:26:26 -0700 (PDT) X-BeenThere: bitcoindev@googlegroups.com; h="AUV6zMOtJ8Wmlx02Z85QpVBsy63s6QIZi6ziJGli7pEehlSZaw==" Received: by 2002:a05:6870:c992:b0:42f:eb75:2e78 with SMTP id 586e51a60fabf-434300e5c9fls3228547fac.2.-pod-prod-06-us; Tue, 05 May 2026 17:26:20 -0700 (PDT) X-Received: by 2002:a05:6808:4f4e:b0:479:ec12:353 with SMTP id 5614622812f47-4804251eb87mr736300b6e.39.1778027180083; Tue, 05 May 2026 17:26:20 -0700 (PDT) Received: by 2002:a05:690c:4dc5:10b0:7ba:f1b3:9504 with SMTP id 00721157ae682-7bd768772bams7b3; Tue, 5 May 2026 17:25:32 -0700 (PDT) X-Received: by 2002:a05:690c:d8b:b0:7ba:ded4:df5d with SMTP id 00721157ae682-7bdf5eb937fmr19836757b3.34.1778027131212; Tue, 05 May 2026 17:25:31 -0700 (PDT) Date: Tue, 5 May 2026 17:25:30 -0700 (PDT) From: Antoine Riard To: Bitcoin Development Mailing List Message-Id: <1eebd976-c242-4c6f-a8ce-4fc8d093a447n@googlegroups.com> In-Reply-To: References: Subject: [bitcoindev] Re: Public disclosure of one high severity Bitcoin Core advisory (CVE-2024-52911) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_Part_780458_350366603.1778027130612" X-Original-Sender: antoine.riard@gmail.com Precedence: list Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com List-ID: X-Google-Group-Id: 786775582512 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Score: -0.5 (/) ------=_Part_780458_350366603.1778027130612 Content-Type: multipart/alternative; boundary="----=_Part_780459_155037802.1778027130612" ------=_Part_780459_155037802.1778027130612 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi, This is an interesting class of bug. Escalating a use-after-free into a= =20 userspace remote code execution do not seem as unlikely as one can think.= =20 Thinking briefly about an escalation strategy: - 1. make specifically=20 crafted invalid block (e.g a multi-input tx) - 2. scan the used kernel by= =20 the node to rough guess the memory allocator used - 3. progressively fill= =20 bitcoind to reach process virtual mem limit (i.e can't `mmap()` anymore) -= =20 4. trigger the struct pointer being freed (here it would be=20 `PrecomputedTransactionData`) - 5. on a background / parallel thread=20 accessing sensitive data struct, got the mem area being reallocated - 6. on= =20 your original thread, access the pointer to write in the sensitive struct= =20 Now, the open question is if the accessed data struct is somehow consensus,= =20 if it could be more severe than a simple crash, e.g a netsplit. Easier said= =20 than done, that is sure. With the validation code, currently it requires=20 the `cs_main` lock, so in my understanding numerous entry points also=20 requiring a lock held cannot be leveraged, that makes it harder to find a= =20 gadget (the step 4). I don't think you can ruled out non-cs_main holding=20 entry points (e.g a RPC call), as long as the gadget is living in the same= =20 process memory space one might be able to trigger it. Minimal validation=20 code that's less gadgets that can be adverserialy re-used for this class of= =20 bug. 0.14 -> nov 2024. 7 years not being found. Best, Antoine OTS:=20 7396aa55e02738434d26e27cdadc9649ce568c38c3a3977d1f9094d1658d3c8d Le Tuesday, May 5, 2026 =C3=A0 2:41:20=E2=80=AFPM UTC+1, Niklas Goegge a = =C3=A9crit : > Hi everyone,=20 > > In accordance with our security disclosure policy, we are sharing one=20 > advisory for a=20 > *high-severity* security vulnerability fixed in Bitcoin Core version 29.0= =20 > and above. > > The detailed advisory can be found here:=20 > https://bitcoincore.org/en/2026/05/05/disclose-cve-2024-52911/. > > Thanks to Cory Fields for reporting this issue and to everyone involved i= n=20 > fixing it. > > Our disclosure policy as well as previously disclosed vulnerabilities are= =20 > available on the Bitcoin Core website at=20 > https://bitcoincore.org/en/security-advisories/. > > Niklas Goegge > > --=20 You received this message because you are subscribed to the Google Groups "= Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoindev+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/= 1eebd976-c242-4c6f-a8ce-4fc8d093a447n%40googlegroups.com. ------=_Part_780459_155037802.1778027130612 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi, This is an interesting class of bug. Escalating a use-after-free into a userspace remote code execution do not seem as unlikely as one can think. Thinking briefly about an escalation strategy: - 1. make specifically crafted invalid block (e.g a multi-input tx) - 2. scan the used kernel by the node to rough guess the memory allocator u= sed - 3. progressively fill bitcoind to reach process virtual mem limit (i.e ca= n't `mmap()` anymore) - 4. trigger the struct pointer being freed (here it would be `PrecomputedT= ransactionData`) - 5. on a background / parallel thread accessing sensitive data struct, got= the mem area being reallocated - 6. on your original thread, access the pointer to write in the sensitive = struct Now, the open question is if the accessed data struct is somehow consensus, if it could be more severe than a simple crash, e.g a netsplit. Easier said than done, that is sure.=20 With the validation code, currently it requires the `cs_main` lock, so in my understanding numerous entry points also requiring a lock held cannot be leveraged, that makes it harder to find a gadget (the step 4). I don't think you can ruled out non-cs_main holding entry points (e.g a RPC call), as long as the gadget is living in the same process memory space one might be able to trigger it. Minimal validation code that's less gadgets that can be adverserialy re-used for this class of bug. 0.14 -> nov 2024. 7 years not being found. Best, Antoine OTS: 7396aa55e02738434d26e27cdadc9649ce568c38c3a3977d1f9094d1658d3c8d

Le Tuesday, May 5, 2026 =C3=A0 2:41:20=E2=80=AFPM UTC+1, Niklas Goegge = a =C3=A9crit=C2=A0:
Hi everyone,

In accordance with our security disclosure policy, we are sharing one a= dvisory for a=C2=A0
*high-severity* security vulnerability fixed in Bitc= oin Core version 29.0 and above.

The detailed advisory can be found = here: https://bitcoincore.org/en/2026/05/05/di= sclose-cve-2024-52911/.

Thanks to Cory Fields for reporting this= issue and to everyone involved in fixing it.

Our disclosure policy as well as previously disclosed vulnerabilities a= re available on the Bitcoin Core website at https://bitcoincore.org/en/secur= ity-advisories/.

Niklas Goegge

--
You received this message because you are subscribed to the Google Groups &= quot;Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoind= ev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoind= ev/1eebd976-c242-4c6f-a8ce-4fc8d093a447n%40googlegroups.com.
------=_Part_780459_155037802.1778027130612-- ------=_Part_780458_350366603.1778027130612--