CVE-2022-44797: 
NixOS vulnerability analysis and mitigation

btcd before 0.23.2, as used in Lightning Labs lnd before 0.15.2-beta and other Bitcoin-related products, mishandles witness size checking. The vulnerability was discovered and disclosed in October 2022, affecting the Bitcoin implementation written in Go (golang) (AttackerKB).

The vulnerability stems from an erroneous witness size check in the wire parsing functionality. The issue arose because the old checks for the maximum witness size, circa segwit v0, were placed in both the wire package and the tx engine. This check should only have been in the engine since it's properly gated by other related script validation flags (GitHub PR). The fix involved removing the redundant check from the wire package and limiting witnesses only based on the maximum block size in bytes (~4MB).

The vulnerability caused nodes to be unable to parse certain blocks from the wire, even though these blocks would be properly accepted if fed in via other mechanisms. This led to chain synchronization failures and nodes entering a degraded state where they could not properly process blocks (LND Issue).

The vulnerability was patched in btcd version 0.23.2 and Lightning Labs lnd version 0.15.2-beta. Users were advised to upgrade to these versions or later to resolve the issue. The fix involved removing the erroneous witness size check from the wire parsing functionality (GitHub Release, LND Release).