CVE-2025-46598

Published Mar 20, 2026

Last updated a month ago

Overview

AI description

Automated description summarized from trusted sources.

CVE-2025-46598 describes a CPU Denial-of-Service (DoS) vulnerability affecting Bitcoin Core, stemming from the processing of unconfirmed transactions. An attacker could exploit this by sending specially crafted, non-standard unconfirmed transactions. While these transactions would ultimately be rejected by a victim node, each validation attempt would consume several seconds of CPU time without causing a disconnection, allowing the attacker to repeatedly send such transactions. This continuous processing of resource-intensive, unconfirmed transactions could be leveraged to delay block propagation within the Bitcoin network. Mitigations were implemented to reduce the validation time in various Script contexts, and a fix for this issue was released on October 10, 2025, in Bitcoin Core version 30.0.

Description: Bitcoin Core through 29.0 allows a denial of service via a crafted transaction.
Source: cve@mitre.org
NVD status: Analyzed
Products: bitcoin_core

Risk scores

CVSS 3.1

Type: Secondary
Base score: 5.3
Impact score: 1.4
Exploitability score: 3.9
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Severity: MEDIUM

Weaknesses

134c704f-9b21-4f2e-91b3-4a467353bcc0: CWE-405

Hype score: Not currently trending

Configurations

[
  {
    "nodes": [
      {
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:bitcoin:bitcoin_core:*:*:*:*:*:*:*:*",
            "matchCriteriaId": "24777408-C394-47D1-8E69-5630DF67FC26",
            "versionEndExcluding": "0.30.0",
            "vulnerable": true
          }
        ],
        "negate": false,
        "operator": "OR"
      }
    ]
  }
]

References

Sources include official advisories and independent security research.