vulnerability
Arch Linux: Insufficient validation (CVE-2021-31876)
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 6 | (AV:N/AC:L/Au:N/C:N/I:P/A:P) | May 13, 2021 | Jul 11, 2025 | Nov 27, 2025 |
Severity
6
CVSS
(AV:N/AC:L/Au:N/C:N/I:P/A:P)
Published
May 13, 2021
Added
Jul 11, 2025
Modified
Nov 27, 2025
Description
Bitcoin Core does not properly implement the replacement policy specified in BIP125, which makes it easier for attackers to trigger a loss of funds, or a denial of service attack against downstream projects such as Lightning network nodes. An unconfirmed child transaction with nSequence = 0xff_ff_ff_ff, spending an unconfirmed parent with nSequence <= 0xff_ff_ff_fd, should be replaceable because there is inherited signaling by the child transaction. However, the actual PreChecks implementation does not enforce this. Instead, mempool rejects the replacement attempt of the unconfirmed child transaction.
Solution
arch-linux-upgrade-latest
References
- CVE-2021-31876
- https://attackerkb.com/topics/CVE-2021-31876
- URL-https://bitcoinops.org/en/newsletters/2021/05/12/
- URL-https://bitcoinops.org/en/topics/replace-by-fee/
- URL-https://en.bitcoin.it/wiki/Common_Vulnerabilities_and_Exposures#CVE-2021-31876
- URL-https://github.com/bitcoin/bitcoin
- URL-https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2021-May/018893.html
- CWE-863
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.