CVE-2023-33297: 
Bitcoin Core vulnerability analysis and mitigation

Bitcoin Core before version 24.1, when debug mode is not used, contains a vulnerability that allows attackers to cause a denial of service through CPU consumption. The vulnerability (CVE-2023-33297) exists because draining the inventory-to-send queue is inefficient, and was actively exploited in the wild in May 2023 (NVD).

The vulnerability stems from inefficient processing of the inventory-to-send queue in Bitcoin Core's peer-to-peer networking code. When transactions are being added to the mempool at a rate faster than 7tx/s (INVENTORYBROADCASTPERSECOND), peers' inventoryto_send queue can become relatively large, leading to high CPU usage on a single core (Bitcoin PR). The vulnerability has been assigned a CVSS v3.1 base score of 7.5 HIGH with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD).

The vulnerability can cause significant performance degradation through CPU consumption, potentially leading to delays in processing new blocks and network forks. Mining pools reported serious technical failures when processing messages, with single-threaded CPU usage reaching 100% for extended periods (GitHub Issue). Additionally, the attack can be used to force nodes to upload large amounts of data (>130MB/s), potentially causing financial impact through bandwidth costs for nodes on metered connections (Dogecoin Issue).

The vulnerability was fixed in Bitcoin Core version 24.1. The fix includes performance improvements when draining the inventory-to-send queue by dropping transactions that have already been evicted from the mempool immediately and marginally increasing the outgoing trickle rate during transaction volume spikes (Release Notes).