Listen to this Post
How the CVE Works
The vulnerability resides in CometBFT’s handling of the `BitArray` data structure, used in peer-to-peer messages for consensus. A `BitArray` is defined by its number of bits and a corresponding slice of elements (Elems) where the bits are stored. The bug is triggered by a maliciously crafted message containing a `BitArray` where the number of `Elems` does not match the expected count for the specified number of bits. This creates an invalid internal state. Previously, the software lacked proper validation for this state mismatch. When a node processes this malformed BitArray, it can cause a panic in methods that access the `Elems` slice, crashing the node. Critically, due to the gossip protocol, a node might propagate the malicious message to its peers before attempting to process it itself. This propagation behavior could lead to a cascading failure, halting the entire network as multiple validators and full nodes crash simultaneously.
dailycve form:
Platform: CometBFT
Version: <= v0.38.18
Vulnerability: Denial-of-Service
Severity: Critical
date: 2025-10-14
Prediction: 2025-10-17
What Undercode Say:
Simulating a node crash from panic panic: runtime error: index out of range [bash] with length 3 goroutine 1 [bash]: github.com/cometbft/cometbft/libs/bits.BitArray.GetIndex(0xc000012345, 0x5) /libs/bits/bits.go:XXX +0xXX
How Exploit:
Malicious peer sends crafted `BitArray` message. Node gossips message. Node processes message. Panic occurs. Node crashes.
Protection from this CVE
Upgrade to v0.38.19/v0.37.16. Ban malicious IPs via iptables.
Impact:
Network-wide halt. Node crashes. Service disruption.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
