CVE-2024-38359

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2024-38359
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-38359.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-38359
Aliases
Published
2024-06-20T22:16:00.428Z
Modified
2026-04-10T05:15:45.815773Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
Lightning Network Daemon Onion Bomb
Details

The Lightning Network Daemon (lnd) - is a complete implementation of a Lightning Network node. A parsing vulnerability in lnd's onion processing logic and lead to a DoS vector due to excessive memory allocation. The issue was patched in lnd v0.17.0. Users should update to a version > v0.17.0 to be protected. Users unable to upgrade may set the --rejecthtlc CLI flag and also disable forwarding on channels via the UpdateChanPolicyCommand, or disable listening on a public network interface via the --nolisten flag as a mitigation.

Database specific 
{
    "cwe_ids": [
        "CWE-20"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/38xxx/CVE-2024-38359.json",
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/lightningnetwork/lnd

Affected ranges

Type
GIT
Repo
https://github.com/lightningnetwork/lnd
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
2fb150c8fe827df9df0520ef9916b3afb7b03a8d
Type
GIT
Repo
https://github.com/lightningnetwork/lnd
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
2fb150c8fe827df9df0520ef9916b3afb7b03a8d

Affected versions

0.*
0.4-beta
cert/v1.*
cert/v1.0.1
cert/v1.0.2
cert/v1.0.3
cert/v1.1.1
cert/v1.2.0
cert/v1.2.1
cert/v1.2.2
clock/v1.*
clock/v1.0.0
clock/v1.0.1
clock/v1.1.1
healthcheck/v1.*
healthcheck/v1.0.0
healthcheck/v1.0.1
healthcheck/v1.0.2
healthcheck/v1.2.0
healthcheck/v1.2.1
healthcheck/v1.2.3
kvdb/v1.*
kvdb/v1.0.0
kvdb/v1.0.1
kvdb/v1.0.2
kvdb/v1.0.3
kvdb/v1.1.0
kvdb/v1.2.1
kvdb/v1.2.3
kvdb/v1.2.4
kvdb/v1.2.5
kvdb/v1.3.0
kvdb/v1.3.1
kvdb/v1.4.0
kvdb/v1.4.1
kvdb/v1.4.2
kvdb/v1.4.3
kvdb/v1.4.4
queue/v1.*
queue/v1.0.1
queue/v1.0.2
queue/v1.0.3
queue/v1.1.1
ticker/v1.*
ticker/v1.1.1
tlv/v1.*
tlv/v1.0.1
tlv/v1.0.2
tlv/v1.0.3
tlv/v1.1.0
tlv/v1.1.1
tor/v1.*
tor/v1.0.1
tor/v1.0.2
tor/v1.1.0
tor/v1.1.1
tor/v1.1.2
Other
upstream
v0.*
v0.1-alpha
v0.1.1-alpha
v0.10.0-beta
v0.10.0-beta.rc1
v0.10.0-beta.rc2
v0.10.0-beta.rc3
v0.10.0-beta.rc4
v0.10.0-beta.rc5
v0.10.0-beta.rc6
v0.11
v0.11.0-beta
v0.11.0-beta.rc1
v0.11.0-beta.rc2
v0.11.0-beta.rc3
v0.11.0-beta.rc4
v0.12.0-beta
v0.12.0-beta.rc1
v0.12.0-beta.rc2
v0.12.0-beta.rc3
v0.12.0-beta.rc4
v0.12.0-beta.rc5
v0.12.0-beta.rc6
v0.13.0-beta
v0.13.0-beta.rc1
v0.13.0-beta.rc2
v0.13.0-beta.rc3
v0.13.0-beta.rc4
v0.13.0-beta.rc5
v0.14.0-beta
v0.14.0-beta.rc1
v0.14.0-beta.rc2
v0.14.0-beta.rc3
v0.14.0-beta.rc4
v0.14.1-beta
v0.15.0-beta
v0.15.0-beta.rc1
v0.15.0-beta.rc2
v0.15.0-beta.rc3
v0.15.0-beta.rc4
v0.15.0-beta.rc5
v0.15.0-beta.rc6
v0.16.0-beta
v0.16.0-beta.rc1
v0.16.0-beta.rc2
v0.16.0-beta.rc3
v0.16.0-beta.rc4
v0.16.0-beta.rc5
v0.17.0-beta.rc1
v0.17.0-beta.rc2
v0.17.0-beta.rc3
v0.17.0-beta.rc4
v0.17.0-beta.rc5
v0.17.0-beta.rc6
v0.2-alpha
v0.2.1-alpha
v0.3-alpha
v0.4-beta
v0.4.1-beta
v0.4.2-beta
v0.5-beta
v0.5-beta-rc1
v0.5-beta-rc2
v0.5.1-beta
v0.5.1-beta-rc1
v0.5.1-beta-rc2
v0.5.1-beta-rc3
v0.5.1-beta-rc4
v0.6-beta
v0.6-beta-rc1
v0.6-beta-rc2
v0.6-beta-rc3
v0.6-beta-rc4
v0.6.0-beta
v0.6.1-beta
v0.6.1-beta-rc1
v0.6.1-beta-rc2
v0.7.0-beta
v0.7.0-beta-rc1
v0.7.0-beta-rc2
v0.7.0-beta-rc3
v0.7.1-beta
v0.7.1-beta-rc1
v0.7.1-beta-rc2
v0.8.0-beta
v0.8.0-beta-rc1
v0.8.0-beta-rc2
v0.8.0-beta-rc3
v0.9.0-beta
v0.9.0-beta-rc1
v0.9.0-beta-rc2
v0.9.0-beta-rc3
v0.9.0-beta-rc4

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-38359.json"