Vulnerability Description
Bitcoin Core before v0.13.0 allows denial of service (memory exhaustion) triggered by the remote network alert system (deprecated since Q1 2016) if an attacker can sign a message with a certain private key that had been known by unintended actors, because of an infinitely sized map. This affects other uses of the codebase, such as Bitcoin Knots before v0.13.0.knots20160814 and many altcoins.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Bitcoin | Bitcoin Core | < 0.13.0 |
| Bitcoin | Bitcoin-Qt | < 0.13.0 |
| Bitcoin | Bitcoind | < 0.13.0 |
Related Weaknesses (CWE)
References
- https://bitcoin.org/en/posts/alert-key-and-vulnerabilities-disclosure
- https://en.bitcoin.it/wiki/Common_Vulnerabilities_and_ExposuresVendor Advisory
- https://github.com/JinBean/CVE-Extension
- https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2018-July/016189.htmlThird Party Advisory
- https://bitcoin.org/en/posts/alert-key-and-vulnerabilities-disclosure
- https://en.bitcoin.it/wiki/Common_Vulnerabilities_and_ExposuresVendor Advisory
- https://github.com/JinBean/CVE-Extension
- https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2018-July/016189.htmlThird Party Advisory
FAQ
What is CVE-2016-10724?
CVE-2016-10724 is a vulnerability with a CVSS score of 7.5 (HIGH). Bitcoin Core before v0.13.0 allows denial of service (memory exhaustion) triggered by the remote network alert system (deprecated since Q1 2016) if an attacker can sign a message with a certain privat...
How severe is CVE-2016-10724?
CVE-2016-10724 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2016-10724?
Check the references section above for vendor advisories and patch information. Affected products include: Bitcoin Bitcoin Core, Bitcoin Bitcoin-Qt, Bitcoin Bitcoind.