logo

Database

Lack of data validation In github.com/lightningnetwork/lnd

Description

Lightning Network Daemon (LND)'s onion processing logic leads to a denial of service

Impact

A parsing vulnerability in lnd's onion processing logic led to a DoS vector due to excessive memory allocation.

Patches

The issue was patched in lnd v0.17.0. Users should update to a version >= v0.17.0 to be protected.

References

Detailed blog post: https://morehouse.github.io/lightning/lnd-onion-bomb/

Developer discussion: https://delvingbitcoin.org/t/dos-disclosure-lnd-onion-bomb/979

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2024-383592. NVD-2024-383593. OSV-2024-383594. GHSA-9gxx-58q6-42p75. GCVE-2024-38359

References

1. https://github.com/lightningnetwork/lnd/security/advisories/GHSA-9gxx-58q6-42p72. https://delvingbitcoin.org/t/dos-disclosure-lnd-onion-bomb/9793. https://github.com/lightningnetwork/lnd/releases/tag/v0.17.0-beta4. https://lightning.network5. https://morehouse.github.io/lightning/lnd-onion-bomb

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.