Vulnerability-Lookup

CVE-2026-44714 (GCVE-0-2026-44714)

Vulnerability from cvelistv5 – Published: 2026-05-15 16:51 – Updated: 2026-05-16 01:13

Title

bitcoinj: ScriptExecution P2PKH/P2WPKH Verification Bypass

Summary

The bitcoinj library is a Java implementation of the Bitcoin protocol. Prior to 0.17.1, ScriptExecution.correctlySpends() contains two fast-path verification bugs for standard P2PKH and native P2WPKH spends in core/src/main/java/org/bitcoinj/script/ScriptExecution.java. In both branches, bitcoinj verifies an attacker-controlled signature/public-key pair but fails to verify that the public key is the one committed to by the output being spent. As a result, any attacker keypair can satisfy bitcoinj's local verification for arbitrary P2PKH and P2WPKH outputs. This vulnerability is fixed in 0.17.1.

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE

CWE-347 - Improper Verification of Cryptographic Signature

Assigner

GitHub_M

References

3 references

URL	Tags
https://github.com/bitcoinj/bitcoinj/security/adv…	x_refsource_CONFIRM
https://github.com/bitcoinj/bitcoinj/commit/2bc56…	x_refsource_MISC
https://github.com/bitcoinj/bitcoinj/commit/b575a…	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
bitcoinj	bitcoinj	Affected: < 0.17.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-44714",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-16T01:13:35.307405Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-16T01:13:51.811Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "bitcoinj",
          "vendor": "bitcoinj",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.17.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The bitcoinj library is a Java implementation of the Bitcoin protocol. Prior to 0.17.1, ScriptExecution.correctlySpends() contains two fast-path verification bugs for standard P2PKH and native P2WPKH spends in core/src/main/java/org/bitcoinj/script/ScriptExecution.java. In both branches, bitcoinj verifies an attacker-controlled signature/public-key pair but fails to verify that the public key is the one committed to by the output being spent. As a result, any attacker keypair can satisfy bitcoinj\u0027s local verification for arbitrary P2PKH and P2WPKH outputs. This vulnerability is fixed in 0.17.1."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-347",
              "description": "CWE-347: Improper Verification of Cryptographic Signature",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-15T16:51:11.865Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/bitcoinj/bitcoinj/security/advisories/GHSA-hfcf-v2f8-x9pc",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/bitcoinj/bitcoinj/security/advisories/GHSA-hfcf-v2f8-x9pc"
        },
        {
          "name": "https://github.com/bitcoinj/bitcoinj/commit/2bc5653c41d260d840692bc554690d4d79208f9c",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/bitcoinj/bitcoinj/commit/2bc5653c41d260d840692bc554690d4d79208f9c"
        },
        {
          "name": "https://github.com/bitcoinj/bitcoinj/commit/b575a682acf614b9ff95cacbdeb48f86c3ababe0",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/bitcoinj/bitcoinj/commit/b575a682acf614b9ff95cacbdeb48f86c3ababe0"
        }
      ],
      "source": {
        "advisory": "GHSA-hfcf-v2f8-x9pc",
        "discovery": "UNKNOWN"
      },
      "title": "bitcoinj: ScriptExecution P2PKH/P2WPKH Verification Bypass"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-44714",
    "datePublished": "2026-05-15T16:51:11.865Z",
    "dateReserved": "2026-05-07T17:07:09.318Z",
    "dateUpdated": "2026-05-16T01:13:51.811Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-44714",
      "date": "2026-05-19",
      "epss": "0.00028",
      "percentile": "0.07981"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-44714\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-05-15T17:16:47.933\",\"lastModified\":\"2026-05-18T19:59:59.590\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The bitcoinj library is a Java implementation of the Bitcoin protocol. Prior to 0.17.1, ScriptExecution.correctlySpends() contains two fast-path verification bugs for standard P2PKH and native P2WPKH spends in core/src/main/java/org/bitcoinj/script/ScriptExecution.java. In both branches, bitcoinj verifies an attacker-controlled signature/public-key pair but fails to verify that the public key is the one committed to by the output being spent. As a result, any attacker keypair can satisfy bitcoinj\u0027s local verification for arbitrary P2PKH and P2WPKH outputs. This vulnerability is fixed in 0.17.1.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-347\"}]}],\"references\":[{\"url\":\"https://github.com/bitcoinj/bitcoinj/commit/2bc5653c41d260d840692bc554690d4d79208f9c\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/bitcoinj/bitcoinj/commit/b575a682acf614b9ff95cacbdeb48f86c3ababe0\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/bitcoinj/bitcoinj/security/advisories/GHSA-hfcf-v2f8-x9pc\",\"source\":\"security-advisories@github.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-44714\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-05-16T01:13:35.307405Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-05-16T01:13:46.214Z\"}}], \"cna\": {\"title\": \"bitcoinj: ScriptExecution P2PKH/P2WPKH Verification Bypass\", \"source\": {\"advisory\": \"GHSA-hfcf-v2f8-x9pc\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"bitcoinj\", \"product\": \"bitcoinj\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 0.17.1\"}]}], \"references\": [{\"url\": \"https://github.com/bitcoinj/bitcoinj/security/advisories/GHSA-hfcf-v2f8-x9pc\", \"name\": \"https://github.com/bitcoinj/bitcoinj/security/advisories/GHSA-hfcf-v2f8-x9pc\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/bitcoinj/bitcoinj/commit/2bc5653c41d260d840692bc554690d4d79208f9c\", \"name\": \"https://github.com/bitcoinj/bitcoinj/commit/2bc5653c41d260d840692bc554690d4d79208f9c\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/bitcoinj/bitcoinj/commit/b575a682acf614b9ff95cacbdeb48f86c3ababe0\", \"name\": \"https://github.com/bitcoinj/bitcoinj/commit/b575a682acf614b9ff95cacbdeb48f86c3ababe0\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"The bitcoinj library is a Java implementation of the Bitcoin protocol. Prior to 0.17.1, ScriptExecution.correctlySpends() contains two fast-path verification bugs for standard P2PKH and native P2WPKH spends in core/src/main/java/org/bitcoinj/script/ScriptExecution.java. In both branches, bitcoinj verifies an attacker-controlled signature/public-key pair but fails to verify that the public key is the one committed to by the output being spent. As a result, any attacker keypair can satisfy bitcoinj\u0027s local verification for arbitrary P2PKH and P2WPKH outputs. This vulnerability is fixed in 0.17.1.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-347\", \"description\": \"CWE-347: Improper Verification of Cryptographic Signature\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-05-15T16:51:11.865Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-44714\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-05-16T01:13:51.811Z\", \"dateReserved\": \"2026-05-07T17:07:09.318Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-05-15T16:51:11.865Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-44714

Vulnerability from fkie_nvd - Published: 2026-05-15 17:16 - Updated: 2026-05-18 19:59

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/bitcoinj/bitcoinj/commit/2bc5653c41d260d840692bc554690d4d79208f9c
	security-advisories@github.com	https://github.com/bitcoinj/bitcoinj/commit/b575a682acf614b9ff95cacbdeb48f86c3ababe0
	security-advisories@github.com	https://github.com/bitcoinj/bitcoinj/security/advisories/GHSA-hfcf-v2f8-x9pc

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The bitcoinj library is a Java implementation of the Bitcoin protocol. Prior to 0.17.1, ScriptExecution.correctlySpends() contains two fast-path verification bugs for standard P2PKH and native P2WPKH spends in core/src/main/java/org/bitcoinj/script/ScriptExecution.java. In both branches, bitcoinj verifies an attacker-controlled signature/public-key pair but fails to verify that the public key is the one committed to by the output being spent. As a result, any attacker keypair can satisfy bitcoinj\u0027s local verification for arbitrary P2PKH and P2WPKH outputs. This vulnerability is fixed in 0.17.1."
    }
  ],
  "id": "CVE-2026-44714",
  "lastModified": "2026-05-18T19:59:59.590",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-05-15T17:16:47.933",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/bitcoinj/bitcoinj/commit/2bc5653c41d260d840692bc554690d4d79208f9c"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/bitcoinj/bitcoinj/commit/b575a682acf614b9ff95cacbdeb48f86c3ababe0"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/bitcoinj/bitcoinj/security/advisories/GHSA-hfcf-v2f8-x9pc"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-347"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

GHSA-HFCF-V2F8-X9PC

Vulnerability from github – Published: 2026-05-08 17:43 – Updated: 2026-05-15 23:49

Summary

bitcoinj has a ScriptExecution P2PKH/P2WPKH Verification Bypass

Details

Summary

ScriptExecution.correctlySpends() contains two fast-path verification bugs for standard P2PKH and native P2WPKH spends in core/src/main/java/org/bitcoinj/script/ScriptExecution.java.

In both branches, bitcoinj verifies an attacker-controlled signature/public-key pair but fails to verify that the public key is the one committed to by the output being spent. As a result, any attacker keypair can satisfy bitcoinj's local verification for arbitrary P2PKH and P2WPKH outputs.

This doesn't affect the SPV (simple payment verification) trust model, as this model follows PoW and doesn't verify input signatures at all.

Details

The issue is in the optimized branches of ScriptExecution.correctlySpends(...).

In the P2PKH fast path at core/src/main/java/org/bitcoinj/script/ScriptExecution.java:1042, the code:

parses the attacker-supplied signature from scriptSig
parses the attacker-supplied public key from scriptSig
computes the sighash against the victim output's scriptPubKey
checks only pubkey.verify(sigHash, signature)

It never enforces the missing P2PKH binding:

HASH160(pubkey) == ScriptPattern.extractHashFromP2PKH(scriptPubKey)

That means the OP_DUP OP_HASH160 <hash> OP_EQUALVERIFY OP_CHECKSIG semantics are not actually enforced in this fast path.

Relevant code:

} else if (ScriptPattern.isP2PKH(scriptPubKey)) {
    if (chunks.size() != 2)
        throw new ScriptException(...);
    TransactionSignature signature;
    try {
        byte[] data = Objects.requireNonNull(chunks.get(0).data);
        signature = TransactionSignature.decodeFromBitcoin(data, true, true);
    } catch (SignatureDecodeException x) {
        throw new ScriptException(...);
    }
    ECKey pubkey = ECKey.fromPublicOnly(Objects.requireNonNull(chunks.get(1).data));
    Sha256Hash sigHash = txContainingThis.hashForSignature(scriptSigIndex, scriptPubKey,
            signature.sigHashMode(), false);
    boolean validSig = pubkey.verify(sigHash, signature);
    if (!validSig)
        throw new ScriptException(...);
}

In the native P2WPKH fast path at core/src/main/java/org/bitcoinj/script/ScriptExecution.java:1023, the bug is similar. The code:

reads the attacker-supplied pubkey from witness
builds scriptCode from that attacker pubkey with ScriptBuilder.createP2PKHOutputScript(pubkey)
computes the BIP143 sighash using that attacker-derived scriptCode
verifies the signature against the attacker pubkey

It never enforces:

HASH160(pubkey) == ScriptPattern.extractHashFromP2WH(scriptPubKey)

So for P2WPKH, the attacker controls both the pubkey and the scriptCode used for signing.

Relevant code:

if (ScriptPattern.isP2WPKH(scriptPubKey)) {
    Objects.requireNonNull(witness);
    if (witness.getPushCount() < 2)
        throw new ScriptException(...);
    TransactionSignature signature;
    try {
        signature = TransactionSignature.decodeFromBitcoin(witness.getPush(0), true, true);
    } catch (SignatureDecodeException x) {
        throw new ScriptException(...);
    }
    ECKey pubkey = ECKey.fromPublicOnly(witness.getPush(1));
    Script scriptCode = ScriptBuilder.createP2PKHOutputScript(pubkey);
    Sha256Hash sigHash = txContainingThis.hashForWitnessSignature(scriptSigIndex, scriptCode, value,
            signature.sigHashMode(), false);
    boolean validSig = pubkey.verify(sigHash, signature);
    if (!validSig)
        throw new ScriptException(...);
}

Affected call sites include:

core/src/main/java/org/bitcoinj/core/TransactionInput.java:546
core/src/main/java/org/bitcoinj/wallet/Wallet.java:4520
core/src/main/java/org/bitcoinj/signers/LocalTransactionSigner.java:84
core/src/main/java/org/bitcoinj/signers/CustomTransactionSigner.java:77

These call sites use correctlySpends() for transaction/input validation and pre-signing checks. Any application that treats a successful result from this path as proof that a spend is valid is affected.

Fix

The issue is fixed on the release-0.17 branch via 2bc5653c41d260d840692bc554690d4d79208f9c, and on master via b575a682acf614b9ff95cacbdeb48f86c3ababe0. A 0.17.1 maintenance release has been made available on Maven Central.

Severity ?

7.5 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.bitcoinj:bitcoinj-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.15"
            },
            {
              "fixed": "0.17.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44714"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-347"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-08T17:43:06Z",
    "nvd_published_at": "2026-05-15T17:16:47Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n`ScriptExecution.correctlySpends()` contains two fast-path verification bugs for standard `P2PKH` and native `P2WPKH` spends in `core/src/main/java/org/bitcoinj/script/ScriptExecution.java`.\n\nIn both branches, bitcoinj verifies an attacker-controlled signature/public-key pair but fails to verify that the public key is the one committed to by the output being spent. As a result, any attacker keypair can satisfy bitcoinj\u0027s local verification for arbitrary `P2PKH` and `P2WPKH` outputs.\n\nThis doesn\u0027t affect the SPV (simple payment verification) trust model, as this model follows PoW and doesn\u0027t verify input signatures at all.\n\n### Details\nThe issue is in the optimized branches of `ScriptExecution.correctlySpends(...)`.\n\nIn the `P2PKH` fast path at `core/src/main/java/org/bitcoinj/script/ScriptExecution.java:1042`, the code:\n\n- parses the attacker-supplied signature from `scriptSig`\n- parses the attacker-supplied public key from `scriptSig`\n- computes the sighash against the victim output\u0027s `scriptPubKey`\n- checks only `pubkey.verify(sigHash, signature)`\n\nIt never enforces the missing `P2PKH` binding:\n\n- `HASH160(pubkey) == ScriptPattern.extractHashFromP2PKH(scriptPubKey)`\n\nThat means the `OP_DUP OP_HASH160 \u003chash\u003e OP_EQUALVERIFY OP_CHECKSIG` semantics are not actually enforced in this fast path.\n\nRelevant code:\n\n```java\n} else if (ScriptPattern.isP2PKH(scriptPubKey)) {\n    if (chunks.size() != 2)\n        throw new ScriptException(...);\n    TransactionSignature signature;\n    try {\n        byte[] data = Objects.requireNonNull(chunks.get(0).data);\n        signature = TransactionSignature.decodeFromBitcoin(data, true, true);\n    } catch (SignatureDecodeException x) {\n        throw new ScriptException(...);\n    }\n    ECKey pubkey = ECKey.fromPublicOnly(Objects.requireNonNull(chunks.get(1).data));\n    Sha256Hash sigHash = txContainingThis.hashForSignature(scriptSigIndex, scriptPubKey,\n            signature.sigHashMode(), false);\n    boolean validSig = pubkey.verify(sigHash, signature);\n    if (!validSig)\n        throw new ScriptException(...);\n}\n```\n\nIn the native `P2WPKH` fast path at `core/src/main/java/org/bitcoinj/script/ScriptExecution.java:1023`, the bug is similar. The code:\n\n- reads the attacker-supplied pubkey from `witness`\n- builds `scriptCode` from that attacker pubkey with `ScriptBuilder.createP2PKHOutputScript(pubkey)`\n- computes the BIP143 sighash using that attacker-derived `scriptCode`\n- verifies the signature against the attacker pubkey\n\nIt never enforces:\n\n- `HASH160(pubkey) == ScriptPattern.extractHashFromP2WH(scriptPubKey)`\n\nSo for `P2WPKH`, the attacker controls both the pubkey and the `scriptCode` used for signing.\n\nRelevant code:\n\n```java\nif (ScriptPattern.isP2WPKH(scriptPubKey)) {\n    Objects.requireNonNull(witness);\n    if (witness.getPushCount() \u003c 2)\n        throw new ScriptException(...);\n    TransactionSignature signature;\n    try {\n        signature = TransactionSignature.decodeFromBitcoin(witness.getPush(0), true, true);\n    } catch (SignatureDecodeException x) {\n        throw new ScriptException(...);\n    }\n    ECKey pubkey = ECKey.fromPublicOnly(witness.getPush(1));\n    Script scriptCode = ScriptBuilder.createP2PKHOutputScript(pubkey);\n    Sha256Hash sigHash = txContainingThis.hashForWitnessSignature(scriptSigIndex, scriptCode, value,\n            signature.sigHashMode(), false);\n    boolean validSig = pubkey.verify(sigHash, signature);\n    if (!validSig)\n        throw new ScriptException(...);\n}\n```\n\nAffected call sites include:\n\n- `core/src/main/java/org/bitcoinj/core/TransactionInput.java:546`\n- `core/src/main/java/org/bitcoinj/wallet/Wallet.java:4520`\n- `core/src/main/java/org/bitcoinj/signers/LocalTransactionSigner.java:84`\n- `core/src/main/java/org/bitcoinj/signers/CustomTransactionSigner.java:77`\n\nThese call sites use `correctlySpends()` for transaction/input validation and pre-signing checks. Any application that treats a successful result from this path as proof that a spend is valid is affected.\n\n### Fix\nThe issue is fixed on the `release-0.17` branch via 2bc5653c41d260d840692bc554690d4d79208f9c, and on `master` via b575a682acf614b9ff95cacbdeb48f86c3ababe0. A 0.17.1 maintenance release has been made available on Maven Central.",
  "id": "GHSA-hfcf-v2f8-x9pc",
  "modified": "2026-05-15T23:49:51Z",
  "published": "2026-05-08T17:43:06Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/bitcoinj/bitcoinj/security/advisories/GHSA-hfcf-v2f8-x9pc"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44714"
    },
    {
      "type": "WEB",
      "url": "https://github.com/bitcoinj/bitcoinj/commit/2bc5653c41d260d840692bc554690d4d79208f9c"
    },
    {
      "type": "WEB",
      "url": "https://github.com/bitcoinj/bitcoinj/commit/b575a682acf614b9ff95cacbdeb48f86c3ababe0"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/bitcoinj/bitcoinj"
    },
    {
      "type": "WEB",
      "url": "https://github.com/bitcoinj/bitcoinj/releases/tag/v0.17.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "bitcoinj has a ScriptExecution P2PKH/P2WPKH Verification Bypass"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-44714 (GCVE-0-2026-44714)

FKIE_CVE-2026-44714

GHSA-HFCF-V2F8-X9PC

Summary

Details

Fix

Tags

Sightings

Nomenclature