Bitcoin Core, the primary software client for Bitcoin full nodes, recently disclosed that it quietly patched a high-severity memory safety vulnerability in version 29.0, released in April 2025. Labeled CVE-2024-52911, the bug affected all Bitcoin Core versions from 0.14.0 through 28.x and allowed miners to remotely crash other users' nodes—and potentially execute code—using specially crafted invalid blocks.
The flaw was discovered by Cory Fields of MIT’s Digital Currency Initiative, who privately reported it on November 2, 2024. Within days, Bitcoin Core developer Pieter Wuille merged a covert fix under the non‑suspicious title "Improve parallel script validation error debug logging." This patched code was shipped in Bitcoin Core 29.0 (April 2025). Despite the fix, support for the vulnerable 28.x line ended on April 19, 2026, and data from node monitoring services indicates that approximately 43% of reachable Bitcoin nodes are still running software older than version 29.0, leaving them exposed.
The vulnerability was a use‑after‑free memory error that could cause a node to crash, and in theory, remote code execution. However, the attack required a miner to waste real proof‑of‑work on invalid blocks with no chance of reward, creating a natural economic deterrent. Bitcoin’s consensus rules were unaffected; the bug was confined to node memory handling.
Despite the fix being publicly available for over a year, the large fraction of unpatched nodes remains a latent risk to network stability. The disclosure serves as a reminder of the importance of regular software maintenance and prompt upgrades. The incident also comes amid growing focus on Bitcoin’s infrastructure security, including recent proposals like BIP-361 to phase out legacy signature types against quantum computing threats.
