Strix
26.1K

CVE-2020-26895

MEDIUMCVSS 5.3/10EPSS 0.70%

Last modified

CVE-2020-26895 is a medium-severity vulnerability rated 5.3/10 on the CVSS scale. Prior to 0.10.0-beta, LND (Lightning Network Daemon) would have accepted a counterparty high-S signature and broadcast tx-relay invalid local commitment/HTLC transactions. This can be exploited by any peer with an open channel regardless of the victim situation (e.g., routing node, payment-receiver, or payment-sender). EPSS estimates a 0.70% chance of exploitation in the next 30 days.

Description

Prior to 0.10.0-beta, LND (Lightning Network Daemon) would have accepted a counterparty high-S signature and broadcast tx-relay invalid local commitment/HTLC transactions. This can be exploited by any peer with an open channel regardless of the victim situation (e.g., routing node, payment-receiver, or payment-sender). The impact is a loss of funds in certain situations.

Metrics

CVSS 3.1
5.3/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

EPSS Probability
0.70%

48.3th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersionsUpdate
Lightning Network Daemon ProjectLightning Network Daemon0.1Alpha
Lightning Network Daemon ProjectLightning Network Daemon0.1.1Alpha
Lightning Network Daemon ProjectLightning Network Daemon0.2Alpha
Lightning Network Daemon ProjectLightning Network Daemon0.2.1Alpha
Lightning Network Daemon ProjectLightning Network Daemon0.3Alpha
Lightning Network Daemon ProjectLightning Network Daemon0.4Beta
Lightning Network Daemon ProjectLightning Network Daemon0.4.1Beta
Lightning Network Daemon ProjectLightning Network Daemon0.4.2Beta
Lightning Network Daemon ProjectLightning Network Daemon0.5Beta
Lightning Network Daemon ProjectLightning Network Daemon0.5.1Beta
Lightning Network Daemon ProjectLightning Network Daemon0.5.2Beta
Lightning Network Daemon ProjectLightning Network Daemon0.6Beta
Lightning Network Daemon ProjectLightning Network Daemon0.6.1Beta
Lightning Network Daemon ProjectLightning Network Daemon0.7.0Beta
Lightning Network Daemon ProjectLightning Network Daemon0.7.1Beta
Lightning Network Daemon ProjectLightning Network Daemon0.8.0Beta
Lightning Network Daemon ProjectLightning Network Daemon0.8.1Beta
Lightning Network Daemon ProjectLightning Network Daemon0.8.2Beta
Lightning Network Daemon ProjectLightning Network Daemon0.9.0Beta
Lightning Network Daemon ProjectLightning Network Daemon0.9.1Beta
Lightning Network Daemon ProjectLightning Network Daemon0.9.2Beta
Lightning Network Daemon ProjectLightning Network Daemon0.10.0Beta Rc1

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2020-26895?
Prior to 0.10.0-beta, LND (Lightning Network Daemon) would have accepted a counterparty high-S signature and broadcast tx-relay invalid local commitment/HTLC transactions. This can be exploited by any peer with an open channel regardless of the victim situation (e.g., routing node, payment-receiver, or payment-sender). The impact is a loss of funds in certain situations.
How severe is CVE-2020-26895?
CVE-2020-26895 has a CVSS score of 5.3/10 (MEDIUM severity). The EPSS model estimates a 0.70% probability of exploitation in the next 30 days.
How do I fix CVE-2020-26895?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2020-26895?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST