EXECUTIVE SUMMARY:
CVE-2026-44714 with a CVSS score of 7.5 is a vulnerability in the bitcoinj library affecting the script verification logic for standard P2PKH and native P2WPKH transaction spends. The flaw exists in the fast-path validation of ScriptExecution.correctlySpends(), where the system verifies an attacker-controlled signature and public key but fails to ensure that the public key matches the one committed in the output being spent. This missing binding check allows an attacker to substitute their own keypair in the transaction’s scriptSig or witness data and still pass local verification, effectively bypassing ownership validation and enabling unauthorized spends of outputs under certain application-level trust assumptions. The vulnerability can be abused by crafting malicious transactions that appear valid during local checks, potentially leading to unauthorized fund transfers or manipulation of wallet-side validation logic in systems relying on this library. The issue has been fixed by restoring proper enforcement of public key commitment checks in both P2PKH and P2WPKH verification paths, ensuring that only the intended recipient key can satisfy spend conditions.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-44714 with a CVSS score of 7.5 is a vulnerability in the bitcoinj library affecting the script verification logic for standard P2PKH and native P2WPKH transaction spends. The flaw exists in the fast-path validation of ScriptExecution.correctlySpends(), where the system verifies an attacker-controlled signature and public key but fails to ensure that the public key matches the one committed in the output being spent. This missing binding check allows an attacker to substitute their own keypair in the transaction’s scriptSig or witness data and still pass local verification, effectively bypassing ownership validation and enabling unauthorized spends of outputs under certain application-level trust assumptions. The vulnerability can be abused by crafting malicious transactions that appear valid during local checks, potentially leading to unauthorized fund transfers or manipulation of wallet-side validation logic in systems relying on this library. The issue has been fixed by restoring proper enforcement of public key commitment checks in both P2PKH and P2WPKH verification paths, ensuring that only the intended recipient key can satisfy spend conditions.[emaillocker id="1283"]
RECOMMENDATION:
We recommend you to update org.bitcoinj:bitcoinj-core to version 0.17.1 or later.
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-hfcf-v2f8-x9pc