CVE-2024-52921: 
Bitcoin Core vulnerability analysis and mitigation

CVE-2024-52921 affects Bitcoin Core versions before 25.0. The vulnerability allows a peer to affect the download state of other peers by sending a mutated block. The issue was discovered in May 2023 and was fixed with the release of Bitcoin Core v25.0 (Bitcoin Core).

The vulnerability occurs when a peer sends a mutated block (a block where the Merkle root in the header or the witness commitment in the coinbase transaction doesn't match the transactions in the block). Before version 25.0, receiving an unrequested mutated block could clear the block download state of other peers. This particularly affected compact block relay, where receiving a mutated block while waiting for a getblocktxn response would cause Bitcoin Core to forget about the compact block reconstruction state (Bitcoin Core). The vulnerability has been assigned a CVSS v3.1 Base Score of 5.3 MEDIUM (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) (NVD).

The vulnerability could hinder block propagation across the network. When a blocktxn response arrives after receiving a mutated block, it couldn't be used to reconstruct the block, potentially causing delays in block propagation throughout the network (Bitcoin Core).

The vulnerability was fixed in Bitcoin Core v25.0 by ensuring that a peer can only affect its own block download state and not the download state of other peers. The fix was implemented through pull request #27608 (Bitcoin Core).