Vulnerability Report: GO-2024-3189
- CVE-2024-38365, GHSA-27vh-h6mc-q6g8
- Affects: github.com/btcsuite/btcd
- Published: Oct 15, 2024
- Modified: Oct 17, 2024
The btcd Bitcoin client (versions 0.10 to 0.24) did not correctly re-implement Bitcoin Core's 'FindAndDelete()' functionality, causing discrepancies in the validation of Bitcoin blocks. This can lead to a chain split (accepting an invalid block) or Denial of Service (DoS) attacks (rejecting a valid block). An attacker can trigger this vulnerability by constructing a 'standard' Bitcoin transaction that exhibits different behaviors in 'FindAndDelete()' and 'removeOpcodeByData()'.
For detailed information about this vulnerability, visit https://github.com/btcsuite/btcd/security/advisories/GHSA-27vh-h6mc-q6g8.
Affected Packages
-
PathGo VersionsCustom Versions*Symbols
-
before v0.24.2-beta.rc1-
*Custom versions, which can't be mapped automatically to standard Go module versions, are ignored by govulncheck. (See this note on versions for more details.)
Aliases
References
- https://github.com/btcsuite/btcd/security/advisories/GHSA-27vh-h6mc-q6g8
- https://github.com/btcsuite/btcd/commit/04469e600e7d4a58881e2e5447d19024e49800f5
- https://delvingbitcoin.org/t/cve-2024-38365-public-disclosure-btcd-findanddelete-bug/1184
- https://github.com/btcsuite/btcd/releases/tag/v0.24.2
- https://vuln.go.dev/ID/GO-2024-3189.json
Credits
- darosior, dergoegge