CVE-2021-31876 — MEDIUM (6.5)

Q: How severe is CVE-2021-31876?

CVE-2021-31876 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2021-31876?

Check the references section above for vendor advisories and patch information. Affected products include: Bitcoin Bitcoin.

Vulnerability Description

Bitcoin Core 0.12.0 through 0.21.1 does not properly implement the replacement policy specified in BIP125, which makes it easier for attackers to trigger a loss of funds, or a denial of service attack against downstream projects such as Lightning network nodes. An unconfirmed child transaction with nSequence = 0xff_ff_ff_ff, spending an unconfirmed parent with nSequence <= 0xff_ff_ff_fd, should be replaceable because there is inherited signaling by the child transaction. However, the actual PreChecks implementation does not enforce this. Instead, mempool rejects the replacement attempt of the unconfirmed child transaction.

CVSS Score

6.5

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

LOW

Availability

LOW

Affected Products

Vendor	Product	Versions
Bitcoin	Bitcoin	>= 0.12.0, <= 0.21.1

Related Weaknesses (CWE)

CWE-863

References

https://bitcoinops.org/en/newsletters/2021/05/12/Vendor Advisory
https://bitcoinops.org/en/topics/replace-by-fee/Vendor Advisory
https://en.bitcoin.it/wiki/Common_Vulnerabilities_and_Exposures#CVE-2021-31876Third Party Advisory
https://github.com/bitcoin/bitcoinThird Party Advisory
https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2021-May/018893.htmlMailing ListThird Party Advisory
https://bitcoinops.org/en/newsletters/2021/05/12/Vendor Advisory
https://bitcoinops.org/en/topics/replace-by-fee/Vendor Advisory
https://en.bitcoin.it/wiki/Common_Vulnerabilities_and_Exposures#CVE-2021-31876Third Party Advisory
https://github.com/bitcoin/bitcoinThird Party Advisory
https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2021-May/018893.htmlMailing ListThird Party Advisory

FAQ

What is CVE-2021-31876?

CVE-2021-31876 is a vulnerability with a CVSS score of 6.5 (MEDIUM). Bitcoin Core 0.12.0 through 0.21.1 does not properly implement the replacement policy specified in BIP125, which makes it easier for attackers to trigger a loss of funds, or a denial of service attack...

How severe is CVE-2021-31876?

CVE-2021-31876 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2021-31876?

Check the references section above for vendor advisories and patch information. Affected products include: Bitcoin Bitcoin.