CVE-2018-17144 log

Severity Medium
Remote Yes
Type Denial of service
Bitcoin Core 0.14.x before 0.14.3, 0.15.x before 0.15.2, and 0.16.x before 0.16.3 and Bitcoin Knots 0.14.x through 0.16.x before 0.16.3 allow a remote denial of service (application crash) exploitable by miners via duplicate input.
Any attempts to double-spend a transaction output within a single transaction inside of a block where the output being spent was created in the same block, the same assertion failure will occur (as exists in the test case which was included in the 0.16.3 patch). However, if the output being double-spent was created in a previous block, an entry will still remain in the CCoin map with the DIRTY flag set and having been marked as spent, resulting in no such assertion. This could allow a miner to inflate the supply of Bitcoin as they would then be able to claim the value being spent twice.
Group Package Affected Fixed Severity Status Ticket
AVG-768 bitcoin-cli, bitcoin-tx 0.16.2-2 0.16.3-1 Medium Not affected
AVG-766 bitcoin-daemon, bitcoin-qt 0.16.2-2 0.16.3-1 Medium Fixed
Date Advisory Group Package Severity Type
22 Sep 2018 ASA-201809-2 AVG-766 bitcoin-qt Medium denial of service
22 Sep 2018 ASA-201809-1 AVG-766 bitcoin-daemon Medium denial of service