CVE-2021-3401
CRITICALBitcoin Core < 0.19.0 - Remote Code Execution via -platformpluginpath Argument Injection
Title source: llmDescription
Bitcoin Core before 0.19.0 might allow remote attackers to execute arbitrary code when another application unsafely passes the -platformpluginpath argument to the bitcoin-qt program, as demonstrated by an x-scheme-handler/bitcoin handler for a .desktop file or a web browser. NOTE: the discoverer states "I believe that this vulnerability cannot actually be exploited."
References (2)
Core 2
Core References
Third Party Advisory x_refsource_misc
https://achow101.com/2021/02/0.18-uri-vuln
Patch, Third Party Advisory x_refsource_misc
https://github.com/bitcoin/bitcoin/pull/16578
Scores
CVSS v3
9.8
EPSS
0.1048
EPSS Percentile
95.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-88
Status
published
Products (1)
bitcoin/bitcoin
< 0.19.0
Published
Feb 04, 2021
Tracked Since
Feb 18, 2026