Critical Bitcoin Core Bug Could Have Allowed Miners to Execute Code on Full Nodes

Bitcoin Core developers have disclosed a serious security vulnerability that could have allowed malicious miners to remotely crash—or potentially execute code on—other people’s Bitcoin nodes. While there’s no evidence the exploit was ever used in the wild, the revelation is one of the most significant Bitcoin Core security disclosures in recent years. 

The Vulnerability Impacted Bitcoin Core for Years

The bug, tracked as CVE-2024-52911, affected versions of Bitcoin Core 0.14.1 through 28.4, meaning vulnerable software existed across a large portion of the network for years before the issue was fully disclosed.  According to developers, the flaw involved a rare but dangerous type of memory issue known as a “use-after-free” bug, where software continues attempting to access memory that has already been released by another process. In Bitcoin’s case, the issue existed inside the system responsible for validating blocks and transaction scripts. Under certain conditions, specially crafted blocks could cause nodes to:

• Crash unexpectedly
• Corrupt memory states
• Potentially allow remote code execution on affected systems.

Bitcoin Core developer Niklas Gögge reportedly described it as the “first ever memory safety issue” publicly disclosed in Bitcoin Core. 

Why the Attack Was Difficult to Pull Off

Although the vulnerability was serious, exploiting it would have been extremely expensive.

To trigger the bug, an attacker needed to:

• Be an active Bitcoin miner
• Produce specially crafted invalid blocks
• Commit significant computational hashpower toward mining those blocks

The problem for attackers was economic: The malicious blocks would not qualify for legitimate mining rewards, meaning the miner would effectively burn electricity and resources purely to attack the network.  That high cost likely prevented widespread exploitation. Still, developers acknowledged that a sufficiently motivated miner theoretically could have:

• Crashed vulnerable nodes globally
• Interfered with network operations
• Or potentially executed malicious code remotely.

The Bug Was Quietly Patched Months Ago

The vulnerability was first discovered privately by developer Cory Fields in November 2024 through responsible disclosure. Rather than publicly announcing the issue immediately, developers quietly patched the bug through a seemingly routine update labeled: “Improve parallel script validation error debug logging.” The fix was merged into Bitcoin Core by late 2024, and fully patched releases became standard with:

• Bitcoin Core v29.0
• And later versions released throughout 2025.

The delayed disclosure was intentional. Bitcoin developers historically keep critical bugs secret until most node operators have upgraded, preventing attackers from weaponizing public disclosures before patches spread across the network. 

Many Bitcoin Nodes May Still Be Vulnerable

One of the biggest concerns is that Bitcoin software upgrades are voluntary and not automatic. Reports suggest a large percentage of reachable Bitcoin nodes may still be running outdated versions vulnerable to the exploit. Some estimates cited by Protos suggest as much as 43% of nodes remain on pre-v29 software.  That creates a familiar issue within Bitcoin’s decentralized design. Security patches exist—but users must manually adopt them.

This Isn’t the First Major Bitcoin Core Bug

While Bitcoin is often promoted as highly secure, this disclosure adds to a growing list of historical Bitcoin Core vulnerabilities.

Past issues have included:

• Inflation bugs
• Chain split vulnerabilities
• Consensus failures
• Double-spend exploits that were patched before widespread abuse.

The difference here is the nature of the exploit. This bug potentially crossed from blockchain consensus risk into actual remote software execution risk—a far more severe class of vulnerability.

The Bigger Picture

This disclosure highlights an important reality often overlooked in crypto. Bitcoin’s security depends not just on its consensus model—but also on the quality and safety of the software running the network.

The good news:

• The bug was responsibly disclosed
• It appears not to have been exploited publicly
• Modern Bitcoin Core releases are already patched.

But the story also reinforces a larger lesson. Even the most battle-tested decentralized networks can contain hidden vulnerabilities for years before they’re discovered. As Bitcoin grows into global financial infrastructure, software security around node implementations may become just as important as Bitcoin’s underlying monetary design itself.