Description
The Lightning Network Daemon (lnd) - is a complete implementation of a Lightning Network node. A parsing vulnerability in lnd's onion processing logic and lead to a DoS vector due to excessive memory allocation. The issue was patched in lnd v0.17.0. Users should update to a version > v0.17.0 to be protected. Users unable to upgrade may set the `--rejecthtlc` CLI flag and also disable forwarding on channels via the `UpdateChanPolicyCommand`, or disable listening on a public network interface via the `--nolisten` flag as a mitigation.
References (5)
Core 5
Core References
Release Notes x_refsource_misc
https://github.com/lightningnetwork/lnd/releases/tag/v0.17.0-beta
Vendor Advisory x_refsource_confirm
https://github.com/lightningnetwork/lnd/security/advisories/GHSA-9gxx-58q6-42p7
Various Sources x_refsource_misc
https://delvingbitcoin.org/t/dos-disclosure-lnd-onion-bomb/979
Various Sources x_refsource_misc
https://lightning.network
Various Sources x_refsource_misc
https://morehouse.github.io/lightning/lnd-onion-bomb
Scores
CVSS v3
6.5
EPSS
0.0057
EPSS Percentile
42.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-20
Status
published
Products (2)
lightningnetwork/lnd
0 - 0.17.0-betaGo
lightningnetwork/lnd
< 0.17.0
Published
Jun 20, 2024
Tracked Since
Feb 18, 2026