Bitcoin Core Security Advisory and 10 Older Vulnerabilities Revealed

5 replies 92 views
ryan_nodeSenior Member
Posts: 204 · Reputation: 859
#1Jul 10, 2026, 09:59 AM
check this out for details on the security issues: https://bitcoincore.org/en/security-advisories/ also found some info in this google group: https://groups.google.com/g/bitcoindev/c/Q2ZGit2wF7w the vulnerabilities that were mentioned today have already been patched in version 0.21 and earlier. by the end of July, they will also share the ones fixed in version 22.0, and in August, it’ll be 23.0. they’ll keep this up until all undisclosed vulnerabilities in outdated Bitcoin Core versions are addressed.
8 Reply Quote Share
colddiamondHero Member
Posts: 623 · Reputation: 2467
#2Jul 12, 2026, 05:27 PM
Good to see that this is being made public. It should also give people more confidence that issues are being worked on. It then made me take a look at bitnodes.io to see how many older versions (14 to 20 )were still running out there. Was surprised to see that it was in the multiple hundreds. There are over 500 nodes just on 0.20.xx alone. Have to wonder who and why they are running it. Also brings up the question, has any testing been done to see if any old issues have been reintroduced. Kind of like the OpenSSH vulnerability disclosed earlier this week: -Dave
0 Reply Quote Share
ryan_nodeSenior Member
Posts: 204 · Reputation: 859
#3Jul 12, 2026, 06:05 PM
Newly added code has tests. Several of the issues disclosed today were fixed by throwing away and completely replacing the vulnerable code, so the newly introduced code would have its own tests. Some things like the miniupnp vulnerabilities are because of that dependency. There isn't a whole lot that we can do about it other than bumping to the latest dependency version or working out ways to get rid of the dependency entirely. Several issues were discovered via fuzzing, and the fuzz inputs have been added to our fuzz input corpus that oss-fuzz uses. So reintroduction of those specific issues would be caught by those fuzzers. Otherwise, these bugs can be kind of hard to test for since many of them are stalling issues.
1 Reply Quote Share
colddiamondHero Member
Posts: 623 · Reputation: 2467
#4Jul 12, 2026, 07:39 PM
I get all of that, but what I was thinking about was something closer to the SSH type of issue. It was vulnerable, it was fixed, it was tested fixed, and the someone broke it. However, since it was fixed and tested they didn't think to test it every release. I know it's all rare / edge case kind of stuff but going back and making sure something that was fixed didn't get broken again might not be the worst. If it's possible to test for these things. -Dave
4 Reply Quote Share
ryan_nodeSenior Member
Posts: 204 · Reputation: 859
#5Jul 12, 2026, 11:29 PM
I don't know what OpenSSH's testing infrastructure is like, but for Bitcoin Core, the unit and functional tests (including regression tests) are run automatically on every PR before being merged, and on the master branch after anything is merged. If the fix included tests for the fix, unless someone removes the tests for the fix, regressions should be caught. Otherwise it would be insane to manually test for every single bug that was fixed, security or otherwise. That is simply untenable, and that's what testing infrastructure, including fuzzers, is for.
0 Reply Quote Share
fox100Senior Member
Posts: 165 · Reputation: 1050
#6Jul 13, 2026, 12:06 AM
There were a few times in the past where I worried about some new PR potentially re-introducing an old non-disclosed issue. ...  unfortunately you can't really solve it with testing because *vulnerabilities* (to a greater extent than plain bugs) are often fragile enough that the old trigger condition still won't trigger the issue even if it's reintroduced in some form. The reason for this is because a bug is more likely when the software accidentally does the wrong thing, something that no one wanted, just by chance... but a vulnerability is more when the software does a thing an attacker wants.  An attacker isn't stopped by the exact sequences of operations needing to be slightly different, etc.  Often the triggering conditions of vulnerabilities are fairly complex, which is part of how ordinary testing failed to catch them to begin with. But quiet fixes aren't done by making a simple one line change to the issue, but instead by routing around it entirely... so they're not so easy to accidentally reverse.  The kind of place where I think reintroduction was more likely is the reuse of a defective pattern... e.g. did it like this before and that turned out to be flawed because X/Y/Z. Unfortunately there just really isn't a replacement for experience, even disclosure doesn't do that-- because even now with these issues disclosed it's unlikely too many contributors understand the issues particularly deeply.
3 Reply Quote Share

Related topics

Bitcoin Core Security Advisory and 10 Older Vulnerabilities Revealed | Cryptoforum