Bitcoin Core Quietly Fixed High-Severity Memory Flaw CVE202452911 Ahead of Disclosure

Bitcoin Core has patched a critical memory-safety vulnerability, CVE202452911, months before disclosing it publicly this week. The issue, rated high severity, affected every release from v0.14.0 through the 28.x line and could have allowed a malicious miner to crash nodes remotely by sending specially crafted invalid blocks. The bug was a use-after-free condition in the script validation engine. During block validation, cached precomputed data could be freed while a background validation thread was still reading it. The expected impact was a forced node shutdown; an additional, though considered unlikely, risk of remote code execution could not be fully ruled out due to the abnormal memory state. Cory Fields of the MIT Digital Currency Initiative reported the vulnerability privately on Nov. 2, 2024. Bitcoin Core developer Pieter Wuille implemented a low-profile fix four days later, using the deliberately bland title "Improve parallel script validation error debug logging" to avoid drawing attention. The patch landed in the codebase in December 2024 and shipped with Bitcoin Core v29.0 in April 2025. Public disclosure was delayed until the 28.x series reached end of life on April 19, 2026. Developer Niklas Gögge said this was the first memory-security issue noted in roughly two years of the project's published security-advisory record and credited Fields for responsible disclosure. Despite its severity, exploitation was economically unattractive: a miner would have had to spend real hashpower producing invalid, non-rewarding blocks, effectively guaranteeing a loss. Bitcoin's consensus rules were never at risk, as the flaw was limited to node memory handling. Based on Clark Moody's dashboard estimates, about 43% of active nodes may still be running pre-v29.0 versions and could remain exposed.