Vulnerability Details : CVE-2016-10724
Bitcoin Core before v0.13.0 allows denial of service (memory exhaustion) triggered by the remote network alert system (deprecated since Q1 2016) if an attacker can sign a message with a certain private key that had been known by unintended actors, because of an infinitely sized map. This affects other uses of the codebase, such as Bitcoin Knots before v0.13.0.knots20160814 and many altcoins.
Vulnerability category: Denial of service
Products affected by CVE-2016-10724
- cpe:2.3:a:bitcoin:bitcoind:*:*:*:*:*:*:*:*
- cpe:2.3:a:bitcoin:bitcoin-qt:*:*:*:*:*:*:*:*
- cpe:2.3:a:bitcoin:bitcoin_core:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2016-10724
0.39%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 70 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2016-10724
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.8
|
HIGH | AV:N/AC:L/Au:N/C:N/I:N/A:C |
10.0
|
6.9
|
NIST | |
7.5
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2016-10724
-
The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.Assigned by: nvd@nist.gov (Primary)
References for CVE-2016-10724
-
https://github.com/JinBean/CVE-Extension
GitHub - JinBean/CVE-Extension: This repository is an extension of our research on cryptocurrency clones and documents existing vulnerabilities discovered in those clones
-
https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2018-July/016189.html
[bitcoin-dev] Alert key disclosureThird Party Advisory
-
https://en.bitcoin.it/wiki/Common_Vulnerabilities_and_Exposures
Common Vulnerabilities and Exposures - Bitcoin WikiVendor Advisory
-
https://bitcoin.org/en/posts/alert-key-and-vulnerabilities-disclosure
Alert Key and Alert System Vulnerabilities Disclosure
Jump to