Disclosure of memory DoS using low-difficulty headers



After Bitcoin Core 0.12.0 and before Bitcoin Core 0.15.0 a node could be spammed with minimum
difficulty headers, which could possibly be leveraged to crash it by OOM.

This issue is considered Medium severity.

Details

Before the introduction of headers
pre-synchronisation, nodes relied exclusively on
checkpoints to avoid getting spammed by low-difficulty headers.

In Bitcoin Core 0.12.0 a check for headers forking before the last checkpoint’s height was moved to
after storing the header in mapBlockIndex. This allowed an attacker to grow the map unboundedly by
spamming headers whose parent is the genesis block (which only need difficulty 1 to create), as such
blocks bypassed the checkpoint logic.

Attribution

Credits to Cory Fields for finding and responsibly disclosing the bug.

Timeline

2017-08-08 Cory Fields privately reports the bug
2017-08-11 Pieter Wuille opens PR #11028 to fix it
2017-08-14 PR #11028 is merged
2017-09-14 Bitcoin Core version 0.15.0 is released with a fix
2018-10-03 The last vulnerable version of Bitcoin Core (0.14.3) goes end of life
2024-07-03 Public disclosure.