Skip to content

Lightning Network Daemon (LND)'s onion processing logic leads to a denial of service

Moderate severity GitHub Reviewed Published Jun 20, 2024 in lightningnetwork/lnd • Updated Aug 4, 2024

Package

gomod github.com/lightningnetwork/lnd (Go)

Affected versions

< 0.17.0-beta

Patched versions

0.17.0-beta

Description

Impact

A parsing vulnerability in lnd's onion processing logic led to a DoS vector due to excessive memory allocation.

Patches

The issue was patched in lnd v0.17.0. Users should update to a version >= v0.17.0 to be protected.

References

Detailed blog post: https://morehouse.github.io/lightning/lnd-onion-bomb/

Developer discussion: https://delvingbitcoin.org/t/dos-disclosure-lnd-onion-bomb/979

References

@Roasbeef Roasbeef published to lightningnetwork/lnd Jun 20, 2024
Published to the GitHub Advisory Database Jun 20, 2024
Reviewed Jun 20, 2024
Published by the National Vulnerability Database Jun 20, 2024
Last updated Aug 4, 2024

Severity

Moderate

EPSS score

0.045%
(17th percentile)

Weaknesses

CVE ID

CVE-2024-38359

GHSA ID

GHSA-9gxx-58q6-42p7

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.