{"schema_version":"1.3.1","id":"GO-2024-3189","modified":"2024-10-17T14:56:24Z","published":"2024-10-15T18:38:57Z","aliases":["CVE-2024-38365","GHSA-27vh-h6mc-q6g8"],"summary":"Consensus failure in github.com/btcsuite/btcd","details":"The btcd Bitcoin client (versions 0.10 to 0.24) did not correctly re-implement Bitcoin Core's 'FindAndDelete()' functionality, causing discrepancies in the validation of Bitcoin blocks. This can lead to a chain split (accepting an invalid block) or Denial of Service (DoS) attacks (rejecting a valid block). An attacker can trigger this vulnerability by constructing a 'standard' Bitcoin transaction that exhibits different behaviors in 'FindAndDelete()' and 'removeOpcodeByData()'.","affected":[{"package":{"name":"github.com/btcsuite/btcd","ecosystem":"Go"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"0.24.2-beta.rc1"}]}],"ecosystem_specific":{"imports":[{"path":"github.com/btcsuite/btcd/txscript","symbols":["Engine.Execute","Engine.Step","VerifyTaprootKeySpend","baseSegwitSigVerifier.Verify","baseSigVerifier.Verify","baseTapscriptSigVerifier.Verify","opcodeCheckMultiSig","opcodeCheckSig","opcodeCheckSigAdd","opcodeCodeSeparator","removeOpcodeByData","taprootSigVerifier.Verify"]}],"custom_ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0.10.0"}]}]}}],"references":[{"type":"ADVISORY","url":"https://github.com/btcsuite/btcd/security/advisories/GHSA-27vh-h6mc-q6g8"},{"type":"FIX","url":"https://github.com/btcsuite/btcd/commit/04469e600e7d4a58881e2e5447d19024e49800f5"},{"type":"WEB","url":"https://delvingbitcoin.org/t/cve-2024-38365-public-disclosure-btcd-findanddelete-bug/1184"},{"type":"WEB","url":"https://github.com/btcsuite/btcd/releases/tag/v0.24.2"}],"credits":[{"name":"darosior"},{"name":"dergoegge"}],"database_specific":{"url":"https://pkg.go.dev/vuln/GO-2024-3189","review_status":"REVIEWED"}}