* [bitcoindev] Re: Public disclosure of one high severity Bitcoin Core advisory (CVE-2024-52911)
2026-05-05 13:17 [bitcoindev] Public disclosure of one high severity Bitcoin Core advisory (CVE-2024-52911) Niklas Goegge
@ 2026-05-06 0:25 ` Antoine Riard
0 siblings, 0 replies; 2+ messages in thread
From: Antoine Riard @ 2026-05-06 0:25 UTC (permalink / raw)
To: Bitcoin Development Mailing List
[-- Attachment #1.1: Type: text/plain, Size: 2641 bytes --]
Hi, This is an interesting class of bug. Escalating a use-after-free into a
userspace remote code execution do not seem as unlikely as one can think.
Thinking briefly about an escalation strategy: - 1. make specifically
crafted invalid block (e.g a multi-input tx) - 2. scan the used kernel by
the node to rough guess the memory allocator used - 3. progressively fill
bitcoind to reach process virtual mem limit (i.e can't `mmap()` anymore) -
4. trigger the struct pointer being freed (here it would be
`PrecomputedTransactionData`) - 5. on a background / parallel thread
accessing sensitive data struct, got the mem area being reallocated - 6. on
your original thread, access the pointer to write in the sensitive struct
Now, the open question is if the accessed data struct is somehow consensus,
if it could be more severe than a simple crash, e.g a netsplit. Easier said
than done, that is sure. With the validation code, currently it requires
the `cs_main` lock, so in my understanding numerous entry points also
requiring a lock held cannot be leveraged, that makes it harder to find a
gadget (the step 4). I don't think you can ruled out non-cs_main holding
entry points (e.g a RPC call), as long as the gadget is living in the same
process memory space one might be able to trigger it. Minimal validation
code that's less gadgets that can be adverserialy re-used for this class of
bug. 0.14 -> nov 2024. 7 years not being found. Best, Antoine OTS:
7396aa55e02738434d26e27cdadc9649ce568c38c3a3977d1f9094d1658d3c8d
Le Tuesday, May 5, 2026 à 2:41:20 PM UTC+1, Niklas Goegge a écrit :
> Hi everyone,
>
> In accordance with our security disclosure policy, we are sharing one
> advisory for a
> *high-severity* security vulnerability fixed in Bitcoin Core version 29.0
> and above.
>
> The detailed advisory can be found here:
> https://bitcoincore.org/en/2026/05/05/disclose-cve-2024-52911/.
>
> Thanks to Cory Fields for reporting this issue and to everyone involved in
> fixing it.
>
> Our disclosure policy as well as previously disclosed vulnerabilities are
> available on the Bitcoin Core website at
> https://bitcoincore.org/en/security-advisories/.
>
> Niklas Goegge
>
>
--
You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/1eebd976-c242-4c6f-a8ce-4fc8d093a447n%40googlegroups.com.
[-- Attachment #1.2: Type: text/html, Size: 3795 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread