CVE-2025-46598 - CPU DoS from unconfirmed transaction processing

Disclosure of the details of a resource exhaustion issue when processing an unconfirmed transaction.A fix was released on October 10th 2025 in Bitcoin Core v30.0. This issue is considered Low severity. Details An attacker could send specially-crafted unconfirmed transactions that would take a victim node afew seconds each to validate. The non-standard transactions would be rejected but not lead to adisconnection and the process could be repeated. This could be exploited to delay block propagation. The issue was mitigated in multiple steps by reducing the validation time in different Scriptcontexts. Attribution Antoine Poinsot reported this issue to the Bitcoin Core security mailing list. Pieter Wuille, Anthony Towns and Antoine Poinsot implemented mitigations to reduce the worst casevalidation time of unconfirmed transactions. Timeline 2025-04-25 - Antoine Poinsot reports the issue 2025-05-12 - Pieter Wuille opens PR #32473 tomitigate the worst case quadratic signature hashing in legacy Script context 2025-07-24 - Anthony Towns opens PR #33050 tomitigate the worst case hashing in Tapscript context 2025-07-30 - Antoine Poinsot opens PR #33105 tofurther mitigate the worst case in legacy Script context 2025-08-08 - PR #33105 is merged into master 2025-08-11 - PR #32473 is merged into master 2025-08-12 - PR #33050 is merged into master 2025-10-10 - Version 30.0 is released with the mitigations 2025-10-24 - Public Disclosure