Critical Bitcoin Bug Allowed Miners to Execute Code on Nodes—Why It Matters

Bitcoin Core developers today disclosed a critical vulnerability, CVE-2024-52911, that allowed miners to remotely crash and execute code on other people’s nodes. The high-severity bug affected Bitcoin Core versions 0.14.1 through 28.4.

Developer Cory Fields responsibly disclosed the issue and helped patch it via Pull Request (PR) 31112. Had a miner exploited the flaw, they could have executed software code on nodes worldwide. However, the attack’s prohibitive cost likely prevented widespread abuse.

The attack required miners to direct significant hashpower toward mining invalid blocks. These blocks consumed electricity but could not earn coinbase rewards, making the operation financially unsustainable. Despite the expense, the mechanism was straightforward to execute.

Niklas Gögge, a Bitcoin Core contributor, highlighted the rarity of the bug:

We've been publishing Bitcoin Core security advisories for ~2 years now, and (afaik) we just disclosed the first ever memory safety issue: A use-after-free in the validation engine.
— Niklas Gögge (@dergoegge) May 5, 2026

A miner producing a specially crafted block with sufficient proof-of-work could crash victim nodes and potentially exploit the crash to overtake their memory for remote code execution. While Bitcoin Core confirmed remote code execution was possible, it did not cite specific instances of exploitation.

How the Bug Worked: A Use-After-Free Memory Flaw

Bitcoin Core’s advisory described the bug as a script interpreter crash. During block validation, the software pre-calculates and caches transaction input data, then dispatches script validation to background threads using computer memory.

Under a CVE-2024-52911 attack, the node could continue reading from cached memory after that data had been freed by another process. This use-after-free memory bug created an abnormal state where remote code execution became possible.

Specifically, the bug occurred when a node’s background script thread read cached, precomputed transaction data after it had been destroyed by a CScriptCheck process.

Why 43% of Bitcoin Nodes Remain Vulnerable

Bitcoin Core’s latest version, v29, patched the vulnerability. However, node upgrades are voluntary and not automatic. According to estimates, 43% of Bitcoin nodes still run vulnerable software based on pre-v29 code.

This delay leaves a significant portion of the network exposed to potential exploits, despite the attack’s high cost and historical constraints on block data.

Responsible Disclosure and Patch Timeline

Cory Fields detected and privately reported the bug as early as November 2024. Four days later, Pieter Wuille proposed a fix in PR 31112, titled “Improve parallel script validation error debug logging.” The patch was intentionally framed as a routine maintenance update to avoid tipping off potential attackers.