Today we are releasing three security advisories for the Bitcoin Core project. These vulnerabilities affect versions of Bitcoin Core before (and not including) 25.0.

...

This is part of the gradual adoption by the project of a new vulnerability disclosure policy. The policy is available at https://bitcoincore.org/en/security-advisories/#policy.  We will follow up next month with vulnerabilities affecting Bitcoin Core versions before (and not including) 26.0, if any.

Disclosed vulnerabilities include:

• CVE-2024-35202. This is a high severity issue that allows attackers to crash Bitcoin Core nodes remotely by triggering an assertion in the blocktxn message handling logic. The vulnerability was discovered by Niklas Gögge and fixed in Bitcoin Core v25.0.
• Hindered block propagation due to mutated blocks. This is a medium severity issue that allows a peer to clear the block download state of other peers by sending unrequested, mutated blocks. It was fixed in [Pull Request] 27608 by ensuring that a peer can only affect its own block download state, not the download states of other peers.
• DoS due to inv-to-send sets growing too large. It's a medium severity issue where excessively large m_tx_inventory_to_send sets could disrupt node communication by slowing inventory message construction.