The bug has been present since Bitcoin Core 0.14.0, released in 2017.
The fix was covertly integrated into GitHub PR #31112.
Bitcoin Core publicly disclosed on May 5 a high-severity vulnerability that affected its software between versions 0.14.0 and 28, a range that spans approximately nine years of development.
According to the official notice, the failure allowed an attacker capable of mining a block with sufficient proof of work could force third-party nodes to shut down or shut down by exploiting a memory management error.
According to Bitcoin Core, The vulnerability resided in the script interpreter responsible for validating transactions. The organization points out that, during block validation specially constructed invalid machines, a background processing thread could access data already removed from memory—a bug known in programming as use-after-free (use then release)—which caused the affected node to collapse.
Bitcoin Core is the reference software that implements the Bitcoin network protocol. Its development is maintained by a group of open source contributors and represents the technical basis on which most of the network’s full nodes operate, so vulnerabilities in this software have direct implications on the stability and integrity of the Bitcoin infrastructure.
Researcher Cory Fields, from the MIT Digital Currency Initiative, reported the ruling privately on November 2, 2024. According to the timeline published by Bitcoin Core, developer Pieter Wuille covertly incorporated a fix into a pull request already opened days later, without publicly revealing its purpose. The corrected version, Bitcoin Core 29.0, was released on April 12, 2025. For some, the modification occurred “under the hood.”
Correction and its disclosure
Bitcoin Core indicates that public disclosure was delayed until the last vulnerable version—branch 28.x—reached its official end-of-life, which occurred on April 19, 2026. This practice, known as responsible disclosureseeks to ensure that users have had enough time to update before the technical details of the failure are made public.
The organization specifies that, although the nature of the error made remote code execution on the affected nodes theoretically possible, lThe restrictions inherent to the block format made this scenario unlikely.. The most realistic impact, according to Bitcoin Core, was the forced closure of the node.
Bitcoin Core highlights that node operators who migrated to version 29.0 or later at the time of its launch were not exposed during the public disclosure window. The organization does not report evidence that the vulnerability has been exploited before its correction.