CVE-2023-50428

MEDIUM EXPLOITED IN THE WILD

Bitcoin Core <26.0 - Bitcoin Knots <25.1.knots20231115 - Code Injec...

Title source: llm

Description

In Bitcoin Core through 26.0 and Bitcoin Knots before 25.1.knots20231115, datacarrier size limits can be bypassed by obfuscating data as code (e.g., with OP_FALSE OP_IF), as exploited in the wild by Inscriptions in 2022 and 2023. NOTE: although this is a vulnerability from the perspective of the Bitcoin Knots project, some others consider it "not a bug."

References (6)

Core 6

Core References

Third Party Advisory

https://en.bitcoin.it/wiki/Common_Vulnerabilities_and_Exposures

Issue Tracking

https://github.com/bitcoin/bitcoin/pull/28408#issuecomment-1844981799

Product

https://github.com/bitcoin/bitcoin/tags

Release Notes

https://github.com/bitcoinknots/bitcoin/blob/aed49ce8989334c364a219a6eb016a3897d4e3d7/doc/release-notes.md

View Writeup ZIP pw:eip

Issue Tracking, Third Party Advisory

https://twitter.com/LukeDashjr/status/1732204937466032285

Various Sources

https://github.com/bitcoin/bitcoin/blob/65c05db660b2ca1d0076b0d8573a6760b3228068/src/kernel/mempool_options.h#L46-L53

View Writeup ZIP pw:eip

Scores

CVSS v3 5.3

EPSS 0.0003

EPSS Percentile 9.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Details

VulnCheck KEV 2023-12-05

InTheWild.io 2023-12-09

Status published

Products (2)

bitcoin/bitcoin_core 0.9 - 26.0

bitcoinknots/bitcoin_knots 0.9 - 25.1

Published Dec 09, 2023

Tracked Since Feb 18, 2026