CVE-2022-39389

MEDIUM
Published Nov 17, 20223y ago · Modified Jun 17, 20262w ago
6.5 CVSS 3.1
Medium
Find Similar
Published Nov 17, 2022 3y ago
Last Modified Jun 17, 2026 2w ago

Description

Lightning Network Daemon (lnd) is an implementation of a lightning bitcoin overlay network node. All lnd nodes before version `v0.15.4` are vulnerable to a block parsing bug that can cause a node to enter a degraded state once encountered. In this degraded state, nodes can continue to make payments and forward HTLCs, and close out channels. Opening channels is prohibited, and also on chain transaction events will be undetected. This can cause loss of funds if a CSV expiry is researched during a breach attempt or a CLTV delta expires forgetting the funds in the HTLC. A patch is available in `lnd` version 0.15.4. Users are advised to upgrade. Users unable to upgrade may use the `lncli updatechanpolicy` RPC call to increase their CLTV value to a very high amount or increase their fee policies. This will prevent nodes from routing through your node, meaning that no pending HTLCs can be present.

CVSS Details

Base Score
6.5
Exploitability
3.9
Impact
2.5
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality None
Integrity Low
Availability Low

Threat Intelligence

No active exploitation signals — not in CISA KEV and no EPSS score yet.

Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-20 Improper Input Validation Validation

Affected Products 2

VendorProductVersionRange
btcd_projectbtcd* <0.23.3
lightning_network_daemon_projectlightning_network_daemon* <0.15.4

References 4

  • github.com https://github.com/lightningnetwork/lnd/issues/7096
    ExploitIssue TrackingPatchThird Party Advisory
  • github.com https://github.com/lightningnetwork/lnd/pull/7098
    PatchThird Party Advisory
  • github.com https://github.com/lightningnetwork/lnd/releases/tag/v0.15.4-beta
    Release NotesThird Party Advisory
  • github.com https://github.com/lightningnetwork/lnd/security/advisories/GHSA-hc82-w9v8-83pr
    Third Party Advisory

Remediation

  • github.com https://github.com/lightningnetwork/lnd/issues/7096
    ExploitIssue TrackingPatchThird Party Advisory
  • github.com https://github.com/lightningnetwork/lnd/pull/7098
    PatchThird Party Advisory