Bitcoin Core's security team publicly disclosed CVE-2024-52911 on Tuesday, revealing a use-after-free memory vulnerability that affects every version of the software from 0.14.0 through 28.x. The bug, which a miner with sufficient computing power could exploit to crash victim nodes across the network, was patched in Bitcoin Core 29.0 released in April 2025. Despite that, roughly 10,500 of approximately 24,557 reachable nodes worldwide are estimated to still be running vulnerable software.

---

What the bug does and how it works

A use-after-free vulnerability occurs when software continues to reference a block of memory after that memory has already been released. In Bitcoin Core's case, the issue sits inside the script validation engine. The software pre-computes transaction data and stores it in cache objects. Background threads validate scripts using pointers to those objects. Because of the order in which C++ destroys objects when they go out of scope, the cached transaction data can be freed while those background threads are still reading it. The result is access to freed memory, which can cause a crash. The official disclosure notes that remote code execution was theoretically possible, though "constraints on the input (block) data make this unlikely."

Exploiting the bug required producing a specially crafted invalid block, which means an attacker would need real mining hardware and real electricity. That cost barrier ruled out most opportunistic attackers. It did not, however, rule out state-level actors or large mining pools with access to significant hashpower.

---

A covert fix and a long wait for disclosure

Bitcoin Core developer Cory Fields of the MIT Digital Currency Initiative reported the vulnerability on November 2, 2024. Four days later, developer Pieter Wuille submitted a fix as pull request 31112, titled "Improve parallel script validation error debug logging." The deliberately unremarkable title was apparently intended to avoid signaling that a critical security patch was in transit. The fix was merged on December 3, 2024, and shipped publicly with Bitcoin Core 29.0 on April 12, 2025. Full disclosure followed only after version 28.x reached end-of-life on April 19, 2026.

Developer Niklas Gögge, writing in Protos, described the bug as "the first ever memory safety issue in Bitcoin Core," a significant milestone for a codebase written almost entirely in C++, a language that gives programmers precise memory control but provides no automatic safety guarantees. The disclosure has renewed discussion within the developer community about gradually introducing Rust, a memory-safe language, into parts of the Bitcoin Core codebase as a long-term mitigation strategy.

---

Why upgrade rates leave so many nodes at risk

Bitcoin Core has no automatic update mechanism, a deliberate design choice rooted in the project's self-sovereign philosophy. Users must manually download and verify each new release. Researcher Jameson Lopp has tracked the consequences of that approach over time. "Before July 2018, it generally took one year for 95% of node operators to update their software," Lopp wrote. "After 2018, it doubled to two years, and it's entirely possible that we're now in an era of it taking three years for 95% of node operators to update."

That slowdown has real consequences. A separate Protos investigation found that more than 16 months after a patch for a prior vulnerability, CVE-2024-35202, was available, 13.7% of nodes (approximately 2,580 of 18,843) were still running the affected software.

---

The stakes are higher in South Asia and Africa

The exposure problem is not evenly distributed. Sub-Saharan Africa processed more than $205 billion in on-chain crypto value between July 2024 and June 2025, a 52% year-on-year increase according to Chainalysis data. In the same period, Nigeria recorded more than $92.1 billion in on-chain crypto value, reflecting its position as one of the continent's most active Bitcoin markets.

India ranked first in the 2026 Global Crypto Adoption Index. Nigeria and Kenya also placed in the top 20 of that index, underscoring the depth of Bitcoin activity across these regions.

In these markets, Bitcoin functions as a remittance rail, a savings tool, and a hedge against currency volatility. Node operators in these regions are often individuals or small community groups without dedicated security staff, and they may be far less likely to be monitoring Bitcoin Core release notes or CVE feeds.

Bitcoin Core 29.0 also improves memory and disk efficiency, which is directly relevant to operators running nodes on older hardware in bandwidth-constrained environments common across South Asia and Africa. The upgrade offers both a security fix and a performance benefit.

---

What node operators should do now

Any node running Bitcoin Core 28.x or earlier should upgrade to version 29.0 or later immediately. Operators can subscribe to the Bitcoin Core announcements mailing list at https://bitcoincore.org/en/list/announcements/join/ for future security notices.

Community organisations in Lagos, Nairobi, Bangalore, Karachi, and similar hubs should treat upgrade outreach as a priority. The regulatory context adds urgency: Nigeria's Securities and Exchange Commission has established licensing requirements for crypto platforms, and India's Financial Intelligence Unit maintains a formal VASP registration framework. A high-profile exploit, even one that never materialises, could hand regulators in these markets a pretext for tightening restrictions on self-hosted nodes and peer-to-peer Bitcoin activity.