Bitcoin Core quietly patched its first-ever memory safety bug months before publicly disclosing the vulnerability on Tuesday, while a large share of nodes may still be running affected software.
The high-severity flaw could have allowed miners to remotely crash and potentially execute code on other user's nodes using specially crafted invalid blocks.
The vulnerability, labeled CVE-2024-52911, affected all Bitcoin Core versions from 0.14.0 through 28.x, according to the notice. A miner willing to spend real proof-of-work resources on specially crafted invalid blocks could have exploited it to crash victim nodes.
Furthermore, because the flaw is a use-after-free memory error, remote code execution was possible during the resulting abnormal memory state, though Bitcoin Core said block data constraints made that outcome unlikely.
However, the attack vector also carried a built-in deterrent.
Any miner attempting it would have needed to burn real hashpower on invalid blocks with no reward to recover. A guaranteed loss that likely kept the bug dormant in the wild.
Cory Fields of MIT's Digital Currency Initiative discovered the vulnerability and privately reported it on November 2, 2024.
Four days later, Bitcoin Core developer Pieter Wuille released a covert fix, deliberately titled "Improve parallel script validation error debug logging" to avoid flagging potential attackers.
The covert fix was merged in December 2024 and later shipped in Bitcoin Core version 29.0 in April 2025. The last vulnerable release line, version 28.x, reached end-of-life on April 19, 2026 — clearing the path for Tuesday's public disclosure.
Bitcoin Core developer Niklas Gögge wrote on X that it represents "the first ever memory safety issue" across roughly two years of the project's public security advisories, crediting Fields for responsible disclosure.
Bitcoin's consensus rules were not affected, since the bug was confined to node software memory handling and introduced no changes to onchain behavior.
Nevertheless, the disclosure arrived with an uncomfortable caveat.
According to one widely cited estimate based on Clark Moody's dashboard, approximately 43% of Bitcoin (BTC) nodes may still be still running pre-v29 software and remain exposed to the risk.
The vulnerability disclosure also adds to a period of acute focus on Bitcoin's infrastructure security.
In April, researchers proposed BIP-361 to phase out legacy signature types as a hedge against quantum computing threats, as The Block previously reported.
A separate Paradigm Research proposal has since offered an alternative mechanism to protect dormant Satoshi-era coins without forcing address migration.
Disclaimer: The Block is an independent media outlet that delivers news, research, and data. As of November 2023, Foresight Ventures is a majority investor of The Block. Foresight Ventures invests in other companies in the crypto space. Crypto exchange Bitget is an anchor LP for Foresight Ventures. The Block continues to operate independently to deliver objective, impactful, and timely information about the crypto industry. Here are our current financial disclosures.
© 2026 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.
