Vulnerability Description
The bitcoinj library is a Java implementation of the Bitcoin protocol. Prior to 0.17.1, ScriptExecution.correctlySpends() contains two fast-path verification bugs for standard P2PKH and native P2WPKH spends in core/src/main/java/org/bitcoinj/script/ScriptExecution.java. In both branches, bitcoinj verifies an attacker-controlled signature/public-key pair but fails to verify that the public key is the one committed to by the output being spent. As a result, any attacker keypair can satisfy bitcoinj's local verification for arbitrary P2PKH and P2WPKH outputs. This vulnerability is fixed in 0.17.1.
CVSS Score
HIGH
Related Weaknesses (CWE)
References
- https://github.com/bitcoinj/bitcoinj/commit/2bc5653c41d260d840692bc554690d4d7920
- https://github.com/bitcoinj/bitcoinj/commit/b575a682acf614b9ff95cacbdeb48f86c3ab
- https://github.com/bitcoinj/bitcoinj/security/advisories/GHSA-hfcf-v2f8-x9pc
FAQ
What is CVE-2026-44714?
CVE-2026-44714 is a vulnerability with a CVSS score of 7.5 (HIGH). The bitcoinj library is a Java implementation of the Bitcoin protocol. Prior to 0.17.1, ScriptExecution.correctlySpends() contains two fast-path verification bugs for standard P2PKH and native P2WPKH ...
How severe is CVE-2026-44714?
CVE-2026-44714 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-44714?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.