CVE-2022-39389

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2022-39389

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-39389.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2022-39389

Aliases

GHSA-hc82-w9v8-83pr

Published

2022-11-17T00:00:00Z

Modified

2026-03-11T00:24:08.017595Z

Severity

8.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H CVSS Calculator

Summary

Witness Block Parsing DoS Vulnerability in lnd

Details

Lightning Network Daemon (lnd) is an implementation of a lightning bitcoin overlay network node. All lnd nodes before version v0.15.4 are vulnerable to a block parsing bug that can cause a node to enter a degraded state once encountered. In this degraded state, nodes can continue to make payments and forward HTLCs, and close out channels. Opening channels is prohibited, and also on chain transaction events will be undetected. This can cause loss of funds if a CSV expiry is researched during a breach attempt or a CLTV delta expires forgetting the funds in the HTLC. A patch is available in lnd version 0.15.4. Users are advised to upgrade. Users unable to upgrade may use the lncli updatechanpolicy RPC call to increase their CLTV value to a very high amount or increase their fee policies. This will prevent nodes from routing through your node, meaning that no pending HTLCs can be present.

Database specific

{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-20"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/39xxx/CVE-2022-39389.json"
}

References

Affected packages

Git / github.com/btcsuite/btcd

Affected ranges

Type

GIT

Repo

https://github.com/btcsuite/btcd

Events

Introduced

Fixed

1d767de1c739f3a5aca0d9c315c9e348ecae6cad

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.23.3"
        }
    ]
}

Affected versions

Other

BTCD_0_10_0_BETA

BTCD_0_11_0_BETA

BTCD_0_11_1_BETA

BTCD_0_12_0_BETA

BTCD_0_3_0_ALPHA

BTCD_0_3_1_ALPHA

BTCD_0_3_2_ALPHA

BTCD_0_3_3_ALPHA

BTCD_0_4_0_ALPHA

BTCD_0_5_0_ALPHA

BTCD_0_6_0_ALPHA

BTCD_0_7_0_ALPHA

BTCD_0_8_0_BETA

BTCD_0_9_0_BETA

btcec/v2.*

btcec/v2.0.0

btcec/v2.1.0

btcec/v2.1.1

btcec/v2.1.2

btcec/v2.1.3

btcec/v2.2.0

btcec/v2.2.1

btcec/v2.3.0

btcutil/psbt/v1.*

btcutil/psbt/v1.0.0

btcutil/psbt/v1.1.0

btcutil/psbt/v1.1.1

btcutil/psbt/v1.1.2

btcutil/psbt/v1.1.3

btcutil/psbt/v1.1.4

btcutil/psbt/v1.1.5

btcutil/v1.*

btcutil/v1.0.0

btcutil/v1.1.0

btcutil/v1.1.1

btcutil/v1.1.2

chaincfg/chainhash/v1.*

chaincfg/chainhash/v1.0.0

chaincfg/chainhash/v1.0.1

v0.*

v0.20.0-beta

v0.20.1-beta

v0.21.0-beta

v0.22.0-beta

v0.23.0

v0.23.1

v0.23.2

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-39389.json"

Git / github.com/lightningnetwork/lnd

Affected ranges

Type: GIT
Repo: https://github.com/lightningnetwork/lnd
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

96fe51e2e5c2ee0c97909499e0e96a3d3755757e

Affected versions

0.*

0.4-beta

cert/v1.*

cert/v1.0.0

cert/v1.0.1

cert/v1.0.2

cert/v1.0.3

cert/v1.1.0

cert/v1.1.1

clock/v1.*

clock/v1.0.0

clock/v1.0.1

clock/v1.1.0

healthcheck/v1.*

healthcheck/v1.0.0

healthcheck/v1.0.1

healthcheck/v1.0.2

healthcheck/v1.1.0

healthcheck/v1.2.0

healthcheck/v1.2.1

healthcheck/v1.2.2

kvdb/v1.*

kvdb/v1.0.0

kvdb/v1.0.1

kvdb/v1.0.2

kvdb/v1.0.3

kvdb/v1.1.0

kvdb/v1.2.0

kvdb/v1.2.1

kvdb/v1.2.3

kvdb/v1.2.4

kvdb/v1.2.5

kvdb/v1.3.0

kvdb/v1.3.1

queue/v1.*

queue/v1.0.1

queue/v1.0.2

queue/v1.0.3

queue/v1.0.4

queue/v1.1.0

ticker/v1.*

ticker/v1.1.0

tlv/v1.*

tlv/v1.0.1

tlv/v1.0.2

tlv/v1.0.3

tor/v1.*

tor/v1.0.0

tor/v1.0.1

Other

upstream

v0.*

v0.1-alpha

v0.1.1-alpha

v0.10.0-beta

v0.10.0-beta.rc1

v0.10.0-beta.rc2

v0.10.0-beta.rc3

v0.10.0-beta.rc4

v0.10.0-beta.rc5

v0.10.0-beta.rc6

v0.11

v0.11.0-beta

v0.11.0-beta.rc1

v0.11.0-beta.rc2

v0.11.0-beta.rc3

v0.11.0-beta.rc4

v0.12.0-beta

v0.12.0-beta.rc1

v0.12.0-beta.rc2

v0.12.0-beta.rc3

v0.12.0-beta.rc3-testbuild7

v0.12.0-beta.rc4

v0.12.0-beta.rc5

v0.12.0-beta.rc6

v0.13.0-beta

v0.13.0-beta.rc1

v0.13.0-beta.rc2

v0.13.0-beta.rc3

v0.13.0-beta.rc4

v0.13.0-beta.rc5

v0.14.0-beta

v0.14.0-beta.rc1

v0.14.0-beta.rc2

v0.14.0-beta.rc3

v0.14.0-beta.rc4

v0.14.1-beta

v0.15.0-beta

v0.15.0-beta.rc1

v0.15.0-beta.rc2

v0.15.0-beta.rc3

v0.15.0-beta.rc4

v0.15.0-beta.rc5

v0.15.0-beta.rc6

v0.15.1-beta

v0.15.1-beta.rc1

v0.15.1-beta.rc2

v0.15.2-beta

v0.15.3-beta

v0.15.3-beta.rc1

v0.2-alpha

v0.2.1-alpha

v0.3-alpha

v0.4-beta

v0.4.1-beta

v0.4.2-beta

v0.5-beta

v0.5-beta-rc1

v0.5-beta-rc2

v0.5.1-beta

v0.5.1-beta-rc1

v0.5.1-beta-rc2

v0.5.1-beta-rc3

v0.5.1-beta-rc4

v0.6-beta

v0.6-beta-rc1

v0.6-beta-rc2

v0.6-beta-rc3

v0.6-beta-rc4

v0.6.0-beta

v0.6.1-beta

v0.6.1-beta-rc1

v0.6.1-beta-rc2

v0.7.0-beta

v0.7.0-beta-rc1

v0.7.0-beta-rc2

v0.7.0-beta-rc3

v0.7.1-beta

v0.7.1-beta-rc1

v0.7.1-beta-rc2

v0.8.0-beta

v0.8.0-beta-rc1

v0.8.0-beta-rc2

v0.8.0-beta-rc3

v0.9.0-beta

v0.9.0-beta-rc1

v0.9.0-beta-rc2

v0.9.0-beta-rc3

v0.9.0-beta-rc4

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-39389.json"