GO-2026-4361 Inconsistencies between how commit signatures are verified and how block time is derived in github.com/cometbft/cometbft

Inconsistencies between how commit signatures are verified and how block time is derived in github.com/cometbft/cometbft...

GHSA-C32P-WCQJ-J677 CometBFT has inconsistencies between how commit signatures are verified and how block time is derived

CSA-2026-001: Tachyon Description Name: CSA-2026-001: Tachyon Criticality: Critical Catastrophic Impact; Possible Likelihood per ACMv1.2 Affected versions: All versions of CometBFT Affected users: Validators and protocols relying on block timestamps Description A consensus-level vulnerability was...

Incorrect Provision of Specified Functionality

Overview Affected versions of this package are vulnerable to Incorrect Provision of Specified Functionality due to inconsistencies between the verification of commit signatures and the derivation of block time. An attacker can disrupt consensus guarantees and manipulate block timestamps by...

CometBFT has inconsistencies between how commit signatures are verified and how block time is derived

CSA-2026-001: Tachyon Description Name: CSA-2026-001: Tachyon Criticality: Critical Catastrophic Impact; Possible Likelihood per ACMv1.2 Affected versions: All versions of CometBFT Affected users: Validators and protocols relying on block timestamps Description A consensus-level vulnerability was...

Incorrect Provision of Specified Functionality

Overview Affected versions of this package are vulnerable to Incorrect Provision of Specified Functionality due to inconsistencies between the verification of commit signatures and the derivation of block time. An attacker can disrupt consensus guarantees and manipulate block timestamps by...

EUVD-2026-4323

CometBFT has inconsistencies between how commit signatures are verified and how block time is derived...

Cosmos: Memory Exhaustion in CometBFT v1.0.1 via malicious ProposalMessage leads to network-wide denial of service

Summary of Impact CometBFT v1.0.1 contains a critical memory exhaustion vulnerability that allows any peer to crash nodes with a single 50-byte P2P message. An attacker can send a malicious ProposalMessage with PartSetHeader.Total set to 2^32-1, causing the receiving node to immediately allocate...

Improper Input Validation

github.com/cometbft/cometbft is vulnerable to Improper Input Validation. The vulnerability is due to the lack of validation for BitArrays with mismatched element and bit counts, which allows an attacker to supply malformed BitArrays that can trigger processing errors or panics within the system...

GO-2025-4025 CometBFT's invalid BitArray handling can lead to network halt in github.com/cometbft/cometbft

CometBFT's invalid BitArray handling can lead to network halt in github.com/cometbft/cometbft...

EUVD-2025-34453

CometBFT's invalid BitArray handling can lead to network halt...

Improper Handling of Syntactically Invalid Structure

Overview github.com/cometbft/cometbft/consensus is a Byzantine Fault Tolerant BFT middleware that takes a state transition machine - written in any programming language - and securely replicates it on many machines. Affected versions of this package are vulnerable to Improper Handling of...

GHSA-HRHF-2VCR-GHCH CometBFT's invalid BitArray handling can lead to network halt

Name: ASA-2025-003: Invalid BitArray handling can lead to network halt Criticality: High Considerable Impact; Possible Likelihood per ACMv1.2 Affected versions: = v0.38.18, = v0.37.15, and main development branches Affected users: Validators, Full nodes, Users Description A bug was discovered in...

CometBFT's invalid BitArray handling can lead to network halt

Name: ASA-2025-003: Invalid BitArray handling can lead to network halt Criticality: High Considerable Impact; Possible Likelihood per ACMv1.2 Affected versions: = v0.38.18, = v0.37.15, and main development branches Affected users: Validators, Full nodes, Users Description A bug was discovered in...

EUVD-2023-2155

Malicious code in bioql PyPI...

EUVD-2025-0216

Malicious code in bioql PyPI...

CVE-2025-24371

CometBFT is a distributed, Byzantine fault-tolerant, deterministic state machine replication engine. In the blocksync protocol peers send their base and latest heights when they connect to a new node A, which is syncing to the tip of a network. base acts as a lower ground and informs A that the...

Insufficient Verification Of Data Authenticity

CometBFT is vulnerable to Insufficient Verification of Data Authenticity. The vulnerability is due to improper validation due to incorrect processing and dissemination of invalid block part indices and proof part indices, which could lead to a network halt...

Improper Check Or Handling Of Exceptional Conditions

github.com/cometbft/cometbft is vulnerable to Improper Check or Handling of Exceptional Conditions. The vulnerability is due to improper validation of reported latest heights, allowing a malicious node to first report a higher latest height and then a lower one, causing syncing nodes to get stuck...

GO-2025-3443 CometBFT allows a malicious peer to stall network by disseminating valid-looking block parts in github.com/cometbft/cometbft

CometBFT allows a malicious peer to stall network by disseminating valid-looking block parts in github.com/cometbft/cometbft...

GO-2025-3442 CometBFT allows a malicious peer to make node stuck in blocksync in github.com/cometbft/cometbft

CometBFT allows a malicious peer to make node stuck in blocksync in github.com/cometbft/cometbft...