CVE-2024-38365

btcd is an alternative full node bitcoin implementation written in Go (golang). The btcd Bitcoin client (versions 0.10 to 0.24) did not correctly re-implement Bitcoin Core's "FindAndDelete()" functionality. This logic is consensus-critical: the difference in behavior with the other Bitcoin clients can lead to btcd clients accepting an invalid Bitcoin block (or rejecting a valid one). This consensus failure can be leveraged to cause a chain split (accepting an invalid Bitcoin block) or be exploited to DoS the btcd nodes (rejecting a valid Bitcoin block). An attacker can create a standard transaction where FindAndDelete doesn't return a match but removeOpCodeByData does making btcd get a different sighash, leading to a chain split. Importantly, this vulnerability can be exploited remotely by any Bitcoin user and does not require any hash power. This is because the difference in behavior can be triggered by a "standard" Bitcoin transaction, that is a transaction which gets relayed through the P2P network before it gets included in a Bitcoin block. `removeOpcodeByData(script []byte, dataToRemove []byte)` removes any data pushes from `script` that contain `dataToRemove`. However, `FindAndDelete` only removes exact matches. So for example, with `script = "<data> <data||foo>"` and `dataToRemove = "data"` btcd will remove both data pushes but Bitcoin Core's `FindAndDelete` only removes the first `<data>` push. This has been patched in btcd version v0.24.2. Users are advised to upgrade. There are no known workarounds for this issue.

CVSS v3 7.4 HIGH

7.4^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.2 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://delvingbitcoin.org/t/cve-2024-38365-public-disclosure-btcd-findanddelete-bug/1184	Issue Tracking
https://github.com/btcsuite/btcd/commit/04469e600e7d4a58881e2e5447d19024e49800f5	Patch
https://github.com/btcsuite/btcd/releases/tag/v0.24.2	Release Notes
https://github.com/btcsuite/btcd/security/advisories/GHSA-27vh-h6mc-q6g8	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:btcd_project:btcd:*:*:*:*:*:*:*:*

History

20 Aug 2025, 19:23

Type	Values Removed	Values Added
References	~~() https://delvingbitcoin.org/t/cve-2024-38365-public-disclosure-btcd-findanddelete-bug/1184 -~~	() https://delvingbitcoin.org/t/cve-2024-38365-public-disclosure-btcd-findanddelete-bug/1184 - Issue Tracking
References	~~() https://github.com/btcsuite/btcd/commit/04469e600e7d4a58881e2e5447d19024e49800f5 -~~	() https://github.com/btcsuite/btcd/commit/04469e600e7d4a58881e2e5447d19024e49800f5 - Patch
References	~~() https://github.com/btcsuite/btcd/releases/tag/v0.24.2 -~~	() https://github.com/btcsuite/btcd/releases/tag/v0.24.2 - Release Notes
References	~~() https://github.com/btcsuite/btcd/security/advisories/GHSA-27vh-h6mc-q6g8 -~~	() https://github.com/btcsuite/btcd/security/advisories/GHSA-27vh-h6mc-q6g8 - Vendor Advisory
CPE		cpe:2.3:a:btcd_project:btcd::::::::
First Time		Btcd Project Btcd Project btcd

Information

Published : 2024-10-11 20:15

Updated : 2025-08-20 19:23

NVD link : CVE-2024-38365

Mitre link : CVE-2024-38365

CVE.ORG link : CVE-2024-38365

JSON object : View

Products Affected

btcd_project

btcd

CWE

CWE-670

Always-Incorrect Control Flow Implementation

7.4 /10