CVE-2023-39910

HIGH EXPLOITED IN THE WILD

Libbitcoin Explorer <3.6.0 - Info Disclosure

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2023-39910 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io). EIP tracks 5 public exploits from researchers including z1ph1us, demining, Hitplus.

AI-analyzed exploit summary This repository contains a functional tool designed to exploit the 'Milk Sad' vulnerability (CVE-2023-39910) by generating BIP-39 mnemonic phrases using Unix timestamps as an entropy source. It includes both CLI and GUI applications to generate mnemonics for specific dates, date ranges, or the entire 32-bit timestamp range.

Description

The cryptocurrency wallet entropy seeding mechanism used in Libbitcoin Explorer 3.0.0 through 3.6.0 is weak, aka the Milk Sad issue. The use of an mt19937 Mersenne Twister PRNG restricts the internal entropy to 32 bits regardless of settings. This allows remote attackers to recover any wallet private keys generated from "bx seed" entropy output and steal funds. (Affected users need to move funds to a secure new cryptocurrency wallet.) NOTE: the vendor's position is that there was sufficient documentation advising against "bx seed" but others disagree. NOTE: this was exploited in the wild in June and July 2023.

Exploits (5)

nomisec WORKING POC 6 stars
by z1ph1us · poc
https://github.com/z1ph1us/MilkSad-Mnemonic-Generator

This repository contains a functional tool designed to exploit the 'Milk Sad' vulnerability (CVE-2023-39910) by generating BIP-39 mnemonic phrases using Unix timestamps as an entropy source. It includes both CLI and GUI applications to generate mnemonics for specific dates, date ranges, or the entire 32-bit timestamp range.

Classification
Working Poc 90%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Systems using BIP-39 mnemonic generation with timestamp-based entropy (specific software not explicitly mentioned)
No auth needed
Prerequisites: Access to a system with the vulnerability · Knowledge of the target timestamp range
MITRE ATT&CK
devstral-2 · analyzed Feb 18, 2026 Full analysis →
gitlab WORKING POC 1 stars
by z1ph1us · poc
https://gitlab.com/z1ph1us/MilkSad-Mnemonic-Generator

This repository contains a functional tool for generating BIP-39 mnemonic phrases based on Unix timestamps, specifically targeting the 'Milk Sad' vulnerability (CVE-2023-39910). It includes both CLI and GUI applications for generating mnemonics across specific dates, date ranges, or the entire 32-bit timestamp range.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Systems using BIP-39 mnemonic generation with timestamp-based entropy (specific version not specified)
No auth needed
Prerequisites: Unix-based system with g++, make, qmake, libssl-dev, and Qt5 development libraries
devstral-2 · analyzed Feb 23, 2026 Full analysis →
nomisec WRITEUP 1 stars
by demining · poc
https://github.com/demining/RAMnesia-Attack

This repository contains a detailed writeup discussing hardware-based attacks (Phoenix Rowhammer and RAMnesia) targeting cryptographic systems, specifically Bitcoin wallets, by exploiting memory vulnerabilities (CVE-2025-6202 and CVE-2023-39910). It describes methods for ECDSA key recovery through physical side-channel attacks and flaws in trusted execution environments (TEEs).

Classification
Writeup 90%
Attack Type
Other
Complexity
Complex
Reliability
Theoretical
Target: DDR5 memory systems, cryptographic libraries (e.g., libbitcoin Explorer), Intel SGX, AMD SEV-SNP, NVIDIA Confidential Computing
No auth needed
Prerequisites: Physical access to target hardware · Specialized hardware (e.g., DIMM interposer) · Knowledge of memory management and cryptographic operations
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec SUSPICIOUS
by Hitplus · poc
https://github.com/Hitplus/RingSide-Replay-Attack

The repository lacks actual exploit code and instead directs users to download an external ZIP file, which is a common tactic for distributing malware or fake exploits. The README is vague and focuses on marketing language rather than technical details about CVE-2023-39910.

Classification
Suspicious 95%
Attack Type
Other
Complexity
Theoretical
Reliability
Theoretical
Target: unspecified
No auth needed
Prerequisites: none specified
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec SUSPICIOUS
by Hitplus · poc
https://github.com/Hitplus/hitplus.github.io

The repository claims to provide a tool for recovering Bitcoin wallet private keys by exploiting CVE-2023-39910 but contains no actual exploit code. Instead, it directs users to download external releases, which is a common tactic for distributing malware or fake exploits.

Classification
Suspicious 95%
Attack Type
Other
Complexity
Theoretical
Reliability
Theoretical
Target: Libbitcoin Explorer (version not specified)
No auth needed
Prerequisites: User interaction to download and run external files
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (6)

Core 6

Scores

CVSS v3 7.5
EPSS 0.0131
EPSS Percentile 66.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

VulnCheck KEV 2023-08-08
InTheWild.io 2023-08-09
CWE
CWE-338
Status published
Products (1)
libbitcoin/libbitcoin_explorer 3.0.0 - 3.6.0
Published Aug 09, 2023
Tracked Since Feb 18, 2026