CVE-2026-44714

CVE-2026-44714 is a high-severity security vulnerability in org.bitcoinj:bitcoinj-core (maven), affecting versions >= 0.15, < 0.17.1. It is fixed in 0.17.1.

Summary

ScriptExecution.correctlySpends() contains two fast-path verification bugs for standard P2PKH and native P2WPKH spends in core/src/main/java/org/bitcoinj/script/ScriptExecution.java.

In both branches, bitcoinj verifies an attacker-controlled signature/public-key pair but fails to verify that the public key is the one committed to by the output being spent. As a result, any attacker keypair can satisfy bitcoinj's local verification for arbitrary P2PKH and P2WPKH outputs.

This doesn't affect the SPV (simple payment verification) trust model, as this model follows PoW and doesn't verify input signatures at all.

Details

The issue is in the optimized branches of ScriptExecution.correctlySpends(...).

In the P2PKH fast path at core/src/main/java/org/bitcoinj/script/ScriptExecution.java:1042, the code:

  • parses the attacker-supplied signature from scriptSig
  • parses the attacker-supplied public key from scriptSig
  • computes the sighash against the victim output's scriptPubKey
  • checks only pubkey.verify(sigHash, signature)

It never enforces the missing P2PKH binding:

  • HASH160(pubkey) == ScriptPattern.extractHashFromP2PKH(scriptPubKey)

That means the OP_DUP OP_HASH160 <hash> OP_EQUALVERIFY OP_CHECKSIG semantics are not actually enforced in this fast path.

Relevant code:

} else if (ScriptPattern.isP2PKH(scriptPubKey)) {
    if (chunks.size() != 2)
        throw new ScriptException(...);
    TransactionSignature signature;
    try {
        byte[] data = Objects.requireNonNull(chunks.get(0).data);
        signature = TransactionSignature.decodeFromBitcoin(data, true, true);
    } catch (SignatureDecodeException x) {
        throw new ScriptException(...);
    }
    ECKey pubkey = ECKey.fromPublicOnly(Objects.requireNonNull(chunks.get(1).data));
    Sha256Hash sigHash = txContainingThis.hashForSignature(scriptSigIndex, scriptPubKey,
            signature.sigHashMode(), false);
    boolean validSig = pubkey.verify(sigHash, signature);
    if (!validSig)
        throw new ScriptException(...);
}

In the native P2WPKH fast path at core/src/main/java/org/bitcoinj/script/ScriptExecution.java:1023, the bug is similar. The code:

  • reads the attacker-supplied pubkey from witness
  • builds scriptCode from that attacker pubkey with ScriptBuilder.createP2PKHOutputScript(pubkey)
  • computes the BIP143 sighash using that attacker-derived scriptCode
  • verifies the signature against the attacker pubkey

It never enforces:

  • HASH160(pubkey) == ScriptPattern.extractHashFromP2WH(scriptPubKey)

So for P2WPKH, the attacker controls both the pubkey and the scriptCode used for signing.

Relevant code:

if (ScriptPattern.isP2WPKH(scriptPubKey)) {
    Objects.requireNonNull(witness);
    if (witness.getPushCount() < 2)
        throw new ScriptException(...);
    TransactionSignature signature;
    try {
        signature = TransactionSignature.decodeFromBitcoin(witness.getPush(0), true, true);
    } catch (SignatureDecodeException x) {
        throw new ScriptException(...);
    }
    ECKey pubkey = ECKey.fromPublicOnly(witness.getPush(1));
    Script scriptCode = ScriptBuilder.createP2PKHOutputScript(pubkey);
    Sha256Hash sigHash = txContainingThis.hashForWitnessSignature(scriptSigIndex, scriptCode, value,
            signature.sigHashMode(), false);
    boolean validSig = pubkey.verify(sigHash, signature);
    if (!validSig)
        throw new ScriptException(...);
}

Affected call sites include:

  • core/src/main/java/org/bitcoinj/core/TransactionInput.java:546
  • core/src/main/java/org/bitcoinj/wallet/Wallet.java:4520
  • core/src/main/java/org/bitcoinj/signers/LocalTransactionSigner.java:84
  • core/src/main/java/org/bitcoinj/signers/CustomTransactionSigner.java:77

These call sites use correctlySpends() for transaction/input validation and pre-signing checks. Any application that treats a successful result from this path as proof that a spend is valid is affected.

Impact

CVE-2026-44714 has a CVSS score of 7.5 (High). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (0.17.1); upgrading removes the vulnerable code path.

Affected versions

org.bitcoinj:bitcoinj-core (>= 0.15, < 0.17.1)

Security releases

org.bitcoinj:bitcoinj-core → 0.17.1 (maven)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

The issue is fixed on the release-0.17 branch via 2bc5653c41d260d840692bc554690d4d79208f9c, and on master via b575a682acf614b9ff95cacbdeb48f86c3ababe0. A 0.17.1 maintenance release has been made available on Maven Central.

Frequently Asked Questions

  1. What is CVE-2026-44714? CVE-2026-44714 is a high-severity security vulnerability in org.bitcoinj:bitcoinj-core (maven), affecting versions >= 0.15, < 0.17.1. It is fixed in 0.17.1.
  2. How severe is CVE-2026-44714? CVE-2026-44714 has a CVSS score of 7.5 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of org.bitcoinj:bitcoinj-core are affected by CVE-2026-44714? org.bitcoinj:bitcoinj-core (maven) versions >= 0.15, < 0.17.1 is affected.
  4. Is there a fix for CVE-2026-44714? Yes. CVE-2026-44714 is fixed in 0.17.1. Upgrade to this version or later.
  5. Is CVE-2026-44714 exploitable, and should I be worried? Whether CVE-2026-44714 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2026-44714 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2026-44714? Upgrade org.bitcoinj:bitcoinj-core to 0.17.1 or later.

Other vulnerabilities in org.bitcoinj:bitcoinj-core

Stop the waste.
Protect your environment with Kodem.