Bitcoin Core devs have dropped the details on a critical vulnerability, CVE-2024-52911, that allows remote shutdown of network nodes or execution of arbitrary code. This marks the first serious memory leak in the project's history. Over 43% of nodes are still at risk, though the cost of an attack for hackers is pretty steep.
Source of info: Bitcoin Dev Mailing List
A use-after-free vulnerability arises in the script interpreter during block validation. If a miner creates a specially crafted invalid block, the node might access already freed memory, leading to crashes or potential takeover.
Why this matters
This is considered the first serious memory security flaw in the project's history.
Threat scale
Versions from 0.14.1 to 28.4 are under fire. As of May 2026, approximately 43% of all active nodes are still running outdated software and remain vulnerable.
Economic barrier
Despite the danger, a real attack is unlikely due to its high cost. The miner would have to spend massive amounts of electricity to create a block with sufficient Proof-of-Work, which would still be rejected by the network as invalid, so the attacker wouldn't earn any rewards.
Solution
The bug was patched back in version v29.0, released in April 2025. Public disclosure occurred only on May 5, 2026, after the last vulnerable line (28.x) officially reached its end of life.
Conclusion
Bitcoin Core developers fixed the critical vulnerability CVE-2024-52911, which theoretically allowed nodes to be stopped or arbitrary code executed through a memory handling bug. Although 43% of nodes remain vulnerable, the actual threat is low, and users are advised to upgrade to version v29.0 or higher. Such a precedent is important as a benchmark for users to protect their assets, considering the evolution of the Bitcoin system.