The Bitcoin Core team has addressed a memory safety issue. A significant portion of nodes are still operating on vulnerable software.
A new high severity level advisory has been posted:https://t.co/zBboOF1IJC
— Bitcoin Core Project (@bitcoincoreorg) May 5, 2026
The vulnerability was discovered by researcher Cory Fields, who reported it on November 2, 2024.
A few days later, developer Peter Wuille released a hidden patch under a neutral title—described as a routine improvement for debugging parallel script verification—to avoid drawing attention from potential attackers.
The fix was integrated into the codebase in December 2024 and included in the Bitcoin Core 29.0 release in April 2025. The last vulnerable branch, 28.x, reached the end of its life cycle on April 19, 2026—only after which developers disclosed the details.
Bitcoin Core emphasized that the vulnerability did not affect the consensus rules of the blockchain and was solely related to local memory handling in the node software.
What Was the Issue?
The vulnerability was the first memory safety bug in Bitcoin Core's history. Under certain conditions, a miner could create a specially crafted invalid block that would crash the victim's node during parallel script verification.
Theoretically, this issue could also lead to remote code execution during an improper memory state. However, Bitcoin Core deemed such a scenario unlikely due to block format limitations, but assessed the risk as high.
The economic factor served as a deterrent: exploiting the vulnerability would require an attacker to expend real hashrate on mining invalid blocks without receiving any rewards.
While developers have fixed the bug, a significant portion of the network has yet to update. According to Clark Moody, about 43% of Bitcoin nodes are still running on earlier client versions.
As a reminder, in April, programmers demonstrated vulnerabilities in Bitcoin's consensus.