Bitcoin Core before version 28.x includes an undisclosed flaw that first appears in release 0.14. The nature of the vulnerability is not described by the vendor, and thus the exact capabilities of an attacker cannot be determined from public information. It may allow for unauthorized data disclosure, manipulation of transaction data, or denial of service against the node. Because the weakness type is unspecified, it is prudent to treat it as a high-impact flaw that could affect the confidentiality, integrity, or availability of a Bitcoin node.

The issue affects all Bitcoin Core nodes running any 0.14 version through the latest 28.x releases. The Bitcoin Core project is the vendor, and there are no more granular product names. Users operating a full node or lightweight client that relies on the Core back‑end should consider their installation vulnerable until a patch is released.

Without a disclosed exploit or CVSS score, the exact risk level is indeterminate. The Probability of exploitation (EPSS) is not available, so no quantitative likelihood can be assigned. Nevertheless, Bitcoin Core is widely deployed worldwide, making it an attractive target. If this flaw can be triggered via a network message, a remote attacker could potentially compromise a node even without local access. The lack of KEV listing indicates no known public exploits yet, but the absence of evidence should not imply absence of risk. Organizations should treat this as a potential remote vulnerability and prepare mitigation steps until a fix is released.