CVE-2020-26895
moderate-risk
Published 2020-10-21
Prior to 0.10.0-beta, LND (Lightning Network Daemon) would have accepted a counterparty high-S signature and broadcast tx-relay invalid local commitment/HTLC transactions. This can be exploited by any peer with an open channel regardless of the victim situation (e.g., routing node, payment-receiver, or payment-sender). The impact is a loss of funds in certain situations.
Do I need to act?
-
0.15% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.3/10
Medium
NETWORK
/ LOW complexity
Affected Products (20)
Lightning Network Daemon
Lightning Network Daemon
Lightning Network Daemon
Lightning Network Daemon
Lightning Network Daemon
Lightning Network Daemon
Lightning Network Daemon
Lightning Network Daemon
Lightning Network Daemon
Lightning Network Daemon
Lightning Network Daemon
Lightning Network Daemon
Lightning Network Daemon
Lightning Network Daemon
Lightning Network Daemon
Lightning Network Daemon
Lightning Network Daemon
Lightning Network Daemon
Lightning Network Daemon
Lightning Network Daemon
Affected Vendors
References (6)
Third Party Advisory
https://gist.github.com/ariard/fb432a9d2cd3ba24fdc18ccc8c5c6eb4
Third Party Advisory
https://gist.github.com/ariard/fb432a9d2cd3ba24fdc18ccc8c5c6eb4
48
/ 100
moderate-risk
Severity
21/34 · High
Exploitability
1/34 · Minimal
Exposure
26/34 · High