CVE-2024-52922: 
Bitcoin Core vulnerability analysis and mitigation

CVE-2024-52922 affects Bitcoin Core versions before 25.1. The vulnerability was discovered in May 2023 and publicly disclosed on November 5, 2024. The issue allows an attacker to prevent a node from downloading the latest block by exploiting a delay that occurs when an announcing peer stalls instead of following the peer-to-peer protocol specification (Bitcoin Core).

When a node receives a new block announcement via headers or compact blocks message, it requests either the full block or missing transaction details from the announcing peer. If the announcing peer fails to respond according to protocol requirements, the affected Bitcoin Core node will wait up to 10 minutes before disconnecting and attempting another block download. An attacker with multiple connections can repeat this process to cause extended delays (Bitcoin Core). The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium) by CISA-ADP (NVD).

The vulnerability can cause network degradation by slowing down network convergence, making mining payouts less fair, and causing liveliness issues. The impact was particularly severe when mempools were relatively heterogeneous, which prevented honest peers from opportunistically reconstructing compact blocks (Bitcoin Core).

A fix was implemented in Bitcoin Core v26.0 and backported to v25.1 through PR #27626. The mitigation ensures that blocks can be requested concurrently from up to 3 high-bandwidth compact block peers, with at least one required to be an outbound connection (Bitcoin Core).