Michael Ford

Name of the Vulnerable Software and Affected Versions: Bitcoin Core versions prior to 22.0 Description: The issue is related to an infinite loop in the miniupnp component, where memory is allocated based on random data received over the network, such as large M-SEARCH replies from a fake UPnP device. This can lead to an infinite loop. Recommendations: For versions prior to 22.0, update to version 22.0 or later to resolve the issue. As a temporary workaround, consider disabling the UPnP functionality until a patch is available. Restrict access to the network to minimize the risk of exploitation by fake UPnP devices.

Name of the Vulnerable Software and Affected Versions: Bitcoin Core versions prior to 0.20.0 Description: The issue allows remote attackers to cause a denial of service, resulting in memory consumption and application crash. This is achieved via a BIP21 `r` parameter for a URL that has a large file. Recommendations: For versions prior to 0.20.0, update to version 0.20.0 or later to resolve the issue. As a temporary workaround, consider restricting access to URLs with large files to minimize the risk of exploitation. Avoid using the `r` parameter in BIP21 URLs for large files until the issue is resolved.