CVE-2024-34478 — Consensus failures in github.com/btcsuite/btcd

Description

Incorrect implementation of the consensus rules outlined in BIP 68 and BIP 112 making btcd susceptible to consensus failures. Specifically, it uses the transaction version as a signed integer when it is supposed to be treated as unsigned. There can be a chain split and loss of funds.

How to fix CVE-2024-34478

To remediate CVE-2024-34478, upgrade the affected package to a fixed version below.

Go/github.com/btcsuite/btcd—upgrade to 0.24.0 or later
Go/github.com/btcsuite/btcd—upgrade to 0.24.0 or later

Is CVE-2024-34478 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 0.24.0
from 0, < 0.24.0

References (8)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-34478
PATCHgithub.com/btcsuite/btcd
WEBdelvingbitcoin.org/t/disclosure-btcd-consensus-bugs-due-to-usage-of-signed-transaction-version/455
WEBgithub.com/btcsuite/btcd/blob/e4c88c3a3ecb1813529bf3dddc7a865bd418a6b8/blockchain/chain.go#L383C1-L392C3