CVE-2022-39389
CVE-2022-39389 is a high-severity vulnerability in Btcd Project Btcd with a CVSS 3.x base score of 8.2. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-20.
Key facts
- Severity: High (CVSS 3.x base score 8.2)
- EPSS exploit prediction: 1% (59th percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-20
- Affected product: Btcd Project Btcd
- Published:
- Last modified:
Description
Lightning Network Daemon (lnd) is an implementation of a lightning bitcoin overlay network node. All lnd nodes before version `v0.15.4` are vulnerable to a block parsing bug that can cause a node to enter a degraded state once encountered. In this degraded state, nodes can continue to make payments and forward HTLCs, and close out channels. Opening channels is prohibited, and also on chain transaction events will be undetected. This can cause loss of funds if a CSV expiry is researched during a breach attempt or a CLTV delta expires forgetting the funds in the HTLC. A patch is available in `lnd` version 0.15.4. Users are advised to upgrade. Users unable to upgrade may use the `lncli updatechanpolicy` RPC call to increase their CLTV value to a very high amount or increase their fee policies. This will prevent nodes from routing through your node, meaning that no pending HTLCs can be present.
Frequently asked questions
- What is CVE-2022-39389?
- Lightning Network Daemon (lnd) is an implementation of a lightning bitcoin overlay network node. All lnd nodes before version `v0.15.4` are vulnerable to a block parsing bug that can cause a node to enter a degraded state once encountered. In this degraded state, nodes can continue to make payments and forward HTLCs, and close out channels. Opening channels is prohibited, and also on chain transaction events will be undetected. This can cause loss of funds if a CSV expiry is researched during a breach attempt or a CLTV delta expires forgetting the funds in the HTLC. A patch is available in `lnd` version 0.15.4. Users are advised to upgrade. Users unable to upgrade may use the `lncli updatechanpolicy` RPC call to increase their CLTV value to a very high amount or increase their fee policies. This will prevent nodes from routing through your node, meaning that no pending HTLCs can be present.
- How severe is CVE-2022-39389?
- CVE-2022-39389 has a CVSS 3.x base score of 8.2, rated high severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is none, integrity low, and availability high.
- Is CVE-2022-39389 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (59th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2022-39389?
- CVE-2022-39389 primarily affects Btcd Project Btcd. In total, 2 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2022-39389?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
- When was CVE-2022-39389 published?
- CVE-2022-39389 was published on 2022-11-17 and last updated on 2026-06-17.
References
- https://github.com/lightningnetwork/lnd/issues/7096
- https://github.com/lightningnetwork/lnd/pull/7098
- https://github.com/lightningnetwork/lnd/releases/tag/v0.15.4-beta
- https://github.com/lightningnetwork/lnd/security/advisories/GHSA-hc82-w9v8-83pr
Affected products (2)
- cpe:2.3:a:btcd_project:btcd:*:*:*:*:*:*:*:*
- cpe:2.3:a:lightning_network_daemon_project:lightning_network_daemon:*:*:*:*:*:*:*:*
More vulnerabilities in Btcd Project Btcd
- CVE-2022-44797 — Critical (CVSS 9.8): btcd before 0.23.2, as used in Lightning Labs lnd before 0.15.2-beta and other Bitcoin-related products, mishandles…
- CVE-2024-34478 — High (CVSS 7.5): btcd before 0.24.0 does not correctly implement the consensus rules outlined in BIP 68 and BIP 112, making it…
- CVE-2018-17145 — High (CVSS 7.5): Bitcoin Core 0.16.x before 0.16.2 and Bitcoin Knots 0.16.x before 0.16.2 allow remote denial of service via a flood of…
- CVE-2024-38365 — High (CVSS 7.4): btcd is an alternative full node bitcoin implementation written in Go (golang). The btcd Bitcoin client (versions 0.10…
All CVEs affecting Btcd Project Btcd →
Other CWE-20 (Improper Input Validation) vulnerabilities
- CVE-2026-48316 — Critical (CVSS 10.0): ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Input Validation vulnerability that could…
- CVE-2026-48281 — Critical (CVSS 10.0): ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Input Validation vulnerability that could…
- CVE-2026-48277 — Critical (CVSS 10.0): ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Input Validation vulnerability that could…
- CVE-2026-48055 — Critical (CVSS 10.0): Streambert is a cross-platform Electron Desktop App to stream and download any video media. In versions 2.4.0 and…
- CVE-2026-34910 — Critical (CVSS 10.0): A malicious actor with access to the network could exploit an Improper Input Validation vulnerability found in UniFi OS…
- CVE-2026-33587 — Critical (CVSS 10.0): Lack of user input sanitisation in Open Notebook v1.8.3 allows the application user to execute Python code (and…
Browse all CWE-20 (Improper Input Validation) vulnerabilities →