CVE-2023-50428

MEDIUM EXPLOITED IN THE WILD

Bitcoin Core <26.0 - Bitcoin Knots <25.1.knots20231115 - Code Injec...

Title source: llm

Exploitation Summary

CVE-2023-50428 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io).

Description

In Bitcoin Core through 26.0 and Bitcoin Knots before 25.1.knots20231115, datacarrier size limits can be bypassed by obfuscating data as code (e.g., with OP_FALSE OP_IF), as exploited in the wild by Inscriptions in 2022 and 2023. NOTE: although this is a vulnerability from the perspective of the Bitcoin Knots project, some others consider it "not a bug."

References (6)

Core 6

Core References

Third Party Advisory

https://en.bitcoin.it/wiki/Common_Vulnerabilities_and_Exposures

Issue Tracking

https://github.com/bitcoin/bitcoin/pull/28408#issuecomment-1844981799

Product

https://github.com/bitcoin/bitcoin/tags

Release Notes

https://github.com/bitcoinknots/bitcoin/blob/aed49ce8989334c364a219a6eb016a3897d4e3d7/doc/release-notes.md

View Writeup ZIP pw:eip

Issue Tracking, Third Party Advisory

https://twitter.com/LukeDashjr/status/1732204937466032285

Various Sources

https://github.com/bitcoin/bitcoin/blob/65c05db660b2ca1d0076b0d8573a6760b3228068/src/kernel/mempool_options.h#L46-L53

View Writeup ZIP pw:eip

Scores

CVSS v3 5.3

EPSS 0.0078

EPSS Percentile 51.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Details

VulnCheck KEV 2023-12-05

InTheWild.io 2023-12-09

Status published

Products (2)

bitcoin/bitcoin_core 0.9 - 26.0

bitcoinknots/bitcoin_knots 0.9 - 25.1

Published Dec 09, 2023

Tracked Since Feb 18, 2026