Vulnerability Disclosure: Assertion DoS in Core Lightning

This vulnerability could allow a remote peer to crash a node by sending a malformed message. The flaw was due to an overly strict assertion within the daemon's logic that failed when certain conditions were met by the incoming message. The specific issue has been addressed in the Core Lightning release v26.04, and it is highly recommended that all operators update their nodes to this version to mitigate the risk.

Core Lightning employs a multi-daemon architecture aimed at isolating faults to prevent system-wide failures. However, this incident revealed that critical vulnerabilities could still lead to significant disruptions if exploited. The discovery of this vulnerability was facilitated by a new fuzzing target called fuzz-open_channel, developed during the internship. This tool was designed to test the robustness of the channel opening process by generating messages with random content or structurally valid but semantically randomized data to expose any weaknesses in the system's handling of channel requests.

The vulnerability was specifically triggered by a funding_created message with a zeroed-out funding_txid, which caused a failure in an assertion check in the hsmd daemon, leading to an abort() call that terminated the process. This issue underscores the potential for remote attackers to exploit such vulnerabilities to disrupt operations on the Lightning Network by crashing nodes that accept channel openings from external peers.

The process of identifying and confirming this vulnerability involved developing an attack program that mimicked the actions of a malicious peer, including completing initial handshakes and sending the crafted funding_created message that would trigger the crash. This testing confirmed the reliability of the vulnerability in causing disruptions.

The resolution of this problem coincided with another ongoing fix related to a separate issue in the hsmd daemon. The remediation involved removing the problematic assertion, thus eliminating the crash scenario originally encountered. This fix was incorporated into the main codebase following a review and confirmation of the vulnerability by the development team, culminating in a merge on August 7, 2025.

This experience highlights the effectiveness of fuzzing as a technique for uncovering hard-to-predict software bugs that might not be identified through conventional testing methods. It also emphasizes the importance of rigorous security practices in the development and maintenance of critical infrastructure like the Lightning Network. Special acknowledgment is given to Matt Morehouse for his guidance throughout the process, from discovery through to disclosure and patching of the vulnerability.