CVE-2016-10724

moderate-risk

Published 2018-07-05

Bitcoin Core before v0.13.0 allows denial of service (memory exhaustion) triggered by the remote network alert system (deprecated since Q1 2016) if an attacker can sign a message with a certain private key that had been known by unintended actors, because of an infinitely sized map. This affects other uses of the codebase, such as Bitcoin Knots before v0.13.0.knots20160814 and many altcoins.

Do I need to act?

0.73% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.5/10 High

NETWORK / LOW complexity

Affected Products (3)

Bitcoin Core

Bitcoin-Qt

Bitcoind

Affected Vendors

Bitcoin

References (8)

https://bitcoin.org/en/posts/alert-key-and-vulnerabilities-disclosure

Vendor Advisory https://en.bitcoin.it/wiki/Common_Vulnerabilities_and_Exposures

https://github.com/JinBean/CVE-Extension

Third Party Advisory https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2018-July/016189.html

https://bitcoin.org/en/posts/alert-key-and-vulnerabilities-disclosure

Vendor Advisory https://en.bitcoin.it/wiki/Common_Vulnerabilities_and_Exposures

https://github.com/JinBean/CVE-Extension

Third Party Advisory https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2018-July/016189.html

/ 100

moderate-risk

Severity 26/34 · High

Exploitability 2/34 · Minimal

Exposure 9/34 · Low