CVE-2024-52918 is a denial of service vulnerability identified in Bitcoin Core's Bitcoin-Qt client versions prior to 0.20.0. The issue stems from the handling of the BIP21 payment URI scheme, specifically the 'r' parameter, which is intended to reference a payment request file. When the 'r' parameter points to a large file, the client attempts to download and process it, leading to excessive memory consumption. This can cause the application to crash, resulting in a denial of service condition. The vulnerability requires no privileges or authentication but does require user interaction, as the user must process or open the crafted BIP21 URL. The CVSS v3.1 base score is 6.5 (medium severity), reflecting the network attack vector, low attack complexity, no privileges required, but requiring user interaction and impacting availability only. The underlying weakness corresponds to CWE-770 (Allocation of Resources Without Limits or Throttling), indicating insufficient controls on resource consumption. No patches or fixes have been linked yet, and no known exploits are reported in the wild. This vulnerability could be exploited by attackers to disrupt Bitcoin-Qt clients by sending malicious payment URLs, potentially affecting users who handle payment requests from untrusted or malicious sources.

The primary impact of CVE-2024-52918 is denial of service against Bitcoin Core clients running Bitcoin-Qt versions before 0.20.0. Successful exploitation causes the client to consume excessive memory and crash, disrupting normal wallet operations. This can prevent users from managing their Bitcoin transactions, potentially delaying payments or causing loss of availability of the wallet interface. While the vulnerability does not compromise confidentiality or integrity of wallet data, the loss of availability can be significant for users relying on Bitcoin-Qt for timely transaction processing. Organizations or individuals running outdated Bitcoin Core clients are at risk, especially if they receive payment requests from untrusted or malicious sources. The lack of authentication and the network attack vector mean attackers can remotely trigger the vulnerability, but user interaction is required, limiting automated exploitation. No known active exploitation reduces immediate risk, but the potential for denial of service in critical financial software warrants prompt attention.

To mitigate CVE-2024-52918, organizations and users should upgrade Bitcoin Core to version 0.20.0 or later, where this vulnerability is addressed. Until patches are available or upgrades are applied, users should avoid processing BIP21 payment URLs containing the 'r' parameter from untrusted or unknown sources, especially those that may reference large files. Implementing network-level controls to block or monitor suspicious URLs or large file downloads associated with Bitcoin payment requests can reduce exposure. Wallet software developers should consider adding resource consumption limits and validation on the size of files referenced by the 'r' parameter to prevent excessive memory usage. Additionally, educating users about the risks of opening payment requests from unverified sources can reduce the likelihood of triggering the vulnerability. Monitoring Bitcoin Core client logs for crashes or unusual memory usage patterns may help detect attempted exploitation attempts.