A vulnerability in Bitcoin Core allows miners to run code on others' nodes, with about 43% of nodes still unpatched

According to Protos, Bitcoin Core developers recently disclosed a high-risk vulnerability numbered CVE-2024-52911, which affects versions 0.14.1 to 28.4, allowing miners to remotely crash other users' nodes and execute code by mining specially crafted blocks.

The vulnerability was discovered and responsibly disclosed by developer Cory Fields in November 2024. The fix was merged in December of that year and released with version v29 in April 2025. The last vulnerable 28.x version series was discontinued on April 19, 2026.

However, since upgrading Bitcoin full nodes is voluntary, it is estimated that about 43% of nodes are still running the vulnerable old version software, facing potential risks. Fortunately, the cost of implementing such an attack is extremely high—miners would need to allocate significant computational power to mine invalid blocks that do not yield block rewards—so it is likely that it has never been exploited in practice.