CVE-2024-38359

2024-06-2023:15:52

CWE-20

[email protected]

web.nvd.nist.gov

lightning network daemon

parsing vulnerability

excessive memory allocation

version update

cli flag

channel forwarding

network interface.

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

0.0004 Low

EPSS

Percentile

15.7%

JSON

The Lightning Network Daemon (lnd) - is a complete implementation of a Lightning Network node. A parsing vulnerability in lnd’s onion processing logic and lead to a DoS vector due to excessive memory allocation. The issue was patched in lnd v0.17.0. Users should update to a version > v0.17.0 to be protected. Users unable to upgrade may set the --rejecthtlc CLI flag and also disable forwarding on channels via the UpdateChanPolicyCommand, or disable listening on a public network interface via the --nolisten flag as a mitigation.

Affected configurations

Vulners

Node

lightningnetworklndRange<0.17.0

CNA Affected

[
  {
    "vendor": "lightningnetwork",
    "product": "lnd",
    "versions": [
      {
        "version": "< 0.17.0",
        "status": "affected"
      }
    ]
  }
]