Bitcoin Core bug puts 43% of nodes at risk of remote crash

A high-severity vulnerability in Bitcoin Core, the primary client software for the Bitcoin network, could allow miners to crash unpatched nodes, according to a public disclosure from developers on May 6, 2026. An estimated 43 percent of network nodes remain exposed to the bug, which was patched more than a year ago.

The vulnerability, labeled CVE-2024-52911, was a “use-after-free” memory error discovered by Cory Fields of MIT's Digital Currency Initiative, according to the official notice. Fields privately reported the issue on November 2, 2024, allowing developers to quietly issue a fix before bad actors could exploit it.

The bug affects all Bitcoin Core versions from 0.14.0 through 28.x. It could be triggered if a miner with sufficient hashpower submitted a specially crafted invalid block, causing vulnerable nodes to crash. Because the flaw is a memory error, the disclosure states that remote code execution was a possibility, though unlikely. The fix was included in Bitcoin Core version 29.0, released in April 2025.

The primary risk is to network stability, as a successful exploit could knock a significant portion of nodes offline. The attack's built-in deterrent is its cost: a miner would need to spend significant proof-of-work resources to mine an invalid block, forgoing any block reward. However, with roughly 43 percent of nodes still running vulnerable software, per data from Clark Moody's dashboard, the disclosure highlights the ongoing challenge of coordinating updates in a decentralized ecosystem.

The Responsible Disclosure

The handling of CVE-2024-52911 serves as a case study in responsible disclosure. After the private report in November 2024, Bitcoin Core developer Pieter Wuille submitted a covert fix just four days later, deliberately mis-labeling it to avoid flagging the vulnerability to potential attackers. The fix was merged in December 2024 and shipped in April 2025. Developers waited until May 2026 for public disclosure, after the last vulnerable software version, 28.x, officially reached its end-of-life.

In a post on X, developer Niklas Gögge noted this was "the first ever memory safety issue" across roughly two years of the project's public security advisories, crediting Fields for the responsible disclosure process. The bug did not affect Bitcoin's consensus rules or introduce any on-chain changes.

The incident underscores the critical importance for node operators to keep their software updated to the latest version to ensure the security and stability of the network.

This article is for informational purposes only and does not constitute investment advice.