Skip to content

Lightning Network Daemon (LND)'s onion processing logic leads to a denial of service

Moderate severity GitHub Reviewed Published Jun 20, 2024 in lightningnetwork/lnd • Updated Jun 21, 2024

Package

gomod github.com/lightningnetwork/lnd (Go)

Affected versions

< 0.17.0-beta

Patched versions

0.17.0-beta

Description

Impact

A parsing vulnerability in lnd's onion processing logic led to a DoS vector due to excessive memory allocation.

Patches

The issue was patched in lnd v0.17.0. Users should update to a version >= v0.17.0 to be protected.

References

Detailed blog post: https://morehouse.github.io/lightning/lnd-onion-bomb/

Developer discussion: https://delvingbitcoin.org/t/dos-disclosure-lnd-onion-bomb/979

References

@Roasbeef Roasbeef published to lightningnetwork/lnd Jun 20, 2024
Published to the GitHub Advisory Database Jun 20, 2024
Reviewed Jun 20, 2024
Published by the National Vulnerability Database Jun 20, 2024
Last updated Jun 21, 2024

Severity

Moderate
6.5
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Weaknesses

CVE ID

CVE-2024-38359

GHSA ID

GHSA-9gxx-58q6-42p7

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.