Vulnerability Description
In Bitcoin Core before v0.13.0, a non-final alert is able to block the special "final alert" (which is supposed to override all other alerts) because operations occur in the wrong order. This behavior occurs in the remote network alert system (deprecated since Q1 2016). This affects other uses of the codebase, such as Bitcoin Knots before v0.13.0.knots20160814 and many altcoins.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Bitcoin | Bitcoin Core | < 0.13.0 |
| Bitcoin | Bitcoin-Qt | < 0.13.0 |
| Bitcoin | Bitcoind | < 0.13.0 |
Related Weaknesses (CWE)
References
- https://bitcoin.org/en/posts/alert-key-and-vulnerabilities-disclosure
- https://en.bitcoin.it/wiki/Common_Vulnerabilities_and_ExposuresVendor Advisory
- https://github.com/JinBean/CVE-Extension
- https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2018-July/016189.htmlThird Party Advisory
- https://bitcoin.org/en/posts/alert-key-and-vulnerabilities-disclosure
- https://en.bitcoin.it/wiki/Common_Vulnerabilities_and_ExposuresVendor Advisory
- https://github.com/JinBean/CVE-Extension
- https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2018-July/016189.htmlThird Party Advisory
FAQ
What is CVE-2016-10725?
CVE-2016-10725 is a vulnerability with a CVSS score of 7.5 (HIGH). In Bitcoin Core before v0.13.0, a non-final alert is able to block the special "final alert" (which is supposed to override all other alerts) because operations occur in the wrong order. This behavior...
How severe is CVE-2016-10725?
CVE-2016-10725 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2016-10725?
Check the references section above for vendor advisories and patch information. Affected products include: Bitcoin Bitcoin Core, Bitcoin Bitcoin-Qt, Bitcoin Bitcoind.