CVE-2024-38365

HIGH EPSS 59.2%
Published Oct 11, 20241y ago · Modified Jun 17, 20261w ago
8.1 CVSS 3.1
High
Find Similar
Published Oct 11, 2024 1y ago
Last Modified Jun 17, 2026 1w ago

Description

btcd is an alternative full node bitcoin implementation written in Go (golang). The btcd Bitcoin client (versions 0.10 to 0.24) did not correctly re-implement Bitcoin Core's "FindAndDelete()" functionality. This logic is consensus-critical: the difference in behavior with the other Bitcoin clients can lead to btcd clients accepting an invalid Bitcoin block (or rejecting a valid one). This consensus failure can be leveraged to cause a chain split (accepting an invalid Bitcoin block) or be exploited to DoS the btcd nodes (rejecting a valid Bitcoin block). An attacker can create a standard transaction where FindAndDelete doesn't return a match but removeOpCodeByData does making btcd get a different sighash, leading to a chain split. Importantly, this vulnerability can be exploited remotely by any Bitcoin user and does not require any hash power. This is because the difference in behavior can be triggered by a "standard" Bitcoin transaction, that is a transaction which gets relayed through the P2P network before it gets included in a Bitcoin block. `removeOpcodeByData(script []byte, dataToRemove []byte)` removes any data pushes from `script` that contain `dataToRemove`. However, `FindAndDelete` only removes exact matches. So for example, with `script = "<data> <data||foo>"` and `dataToRemove = "data"` btcd will remove both data pushes but Bitcoin Core's `FindAndDelete` only removes the first `<data>` push. This has been patched in btcd version v0.24.2. Users are advised to upgrade. There are no known workarounds for this issue.

CVSS Details

Base Score
8.1
Exploitability
2.8
Impact
5.2
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
59.2% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-670

Affected Products 1

VendorProductVersionRange
btcd_projectbtcd*≥0.10.0  –  <0.24.2

References 4

  • delvingbitcoin.org https://delvingbitcoin.org/t/cve-2024-38365-public-disclosure-btcd-findanddelete-bug/1184
    Issue Tracking
  • github.com https://github.com/btcsuite/btcd/commit/04469e600e7d4a58881e2e5447d19024e49800f5
    Patch
  • github.com https://github.com/btcsuite/btcd/releases/tag/v0.24.2
    Release Notes
  • github.com https://github.com/btcsuite/btcd/security/advisories/GHSA-27vh-h6mc-q6g8
    Vendor Advisory

Remediation

  • github.com https://github.com/btcsuite/btcd/commit/04469e600e7d4a58881e2e5447d19024e49800f5
    Patch