From 17de6d2680db4cae63401d6d2964e5d8294f6ed6 Mon Sep 17 00:00:00 2001 From: Antoine Poinsot Date: Tue, 5 May 2026 07:52:08 -0400 Subject: [PATCH] validation: correct lifetime of precomputed tx data This makes sure `txsdata` always outlives the Script check queue (since local objects are destructed in reverse order of construction). This is the root cause for a security vulnerability reported by Cory Fields in 2024 that could be exploited by crafting an invalid block to cause nodes to read freed memory. The vulnerability was covertly fixed in commit `492e1f09943fcb6145c21d470299305a19e17d8b`. See security advisory for CVE-2024-52911 for more details. Github-Pull: #35209 Rebased-From: 1ed799fb21db51a12cbd5579420a61b9b5b3ee7d --- src/validation.cpp | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/validation.cpp b/src/validation.cpp index 3f77955da62..befc5df5ec3 100644 --- a/src/validation.cpp +++ b/src/validation.cpp @@ -2577,11 +2577,10 @@ bool Chainstate::ConnectBlock(const CBlock& block, BlockValidationState& state, // in multiple threads). Preallocate the vector size so a new allocation // doesn't invalidate pointers into the vector, and keep txsdata in scope // for as long as `control`. + std::vector txsdata(block.vtx.size()); std::optional> control; if (auto& queue = m_chainman.GetCheckQueue(); queue.HasThreads() && fScriptChecks) control.emplace(queue); - std::vector txsdata(block.vtx.size()); - std::vector prevheights; CAmount nFees = 0; int nInputs = 0;