CVE-2016-10725

moderate-risk

Published 2018-07-05

In Bitcoin Core before v0.13.0, a non-final alert is able to block the special "final alert" (which is supposed to override all other alerts) because operations occur in the wrong order. This behavior occurs in the remote network alert system (deprecated since Q1 2016). This affects other uses of the codebase, such as Bitcoin Knots before v0.13.0.knots20160814 and many altcoins.

Do I need to act?

1.1% chance of exploitation in next 30 days

EPSS score — moderate exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.5/10 High

NETWORK / LOW complexity

Affected Products (3)

Bitcoin Core

Bitcoin-Qt

Bitcoind

Affected Vendors

Bitcoin

References (8)

https://bitcoin.org/en/posts/alert-key-and-vulnerabilities-disclosure

Vendor Advisory https://en.bitcoin.it/wiki/Common_Vulnerabilities_and_Exposures

https://github.com/JinBean/CVE-Extension

Third Party Advisory https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2018-July/016189.html

https://bitcoin.org/en/posts/alert-key-and-vulnerabilities-disclosure

Vendor Advisory https://en.bitcoin.it/wiki/Common_Vulnerabilities_and_Exposures

https://github.com/JinBean/CVE-Extension

Third Party Advisory https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2018-July/016189.html

/ 100

moderate-risk

Severity 26/34 · High

Exploitability 3/34 · Minimal

Exposure 9/34 · Low