Critical
resolved
resolved
Critical Deadlock Vulnerability in Monero RPC Leading to Complete Node Paralysis
Bug reported by rorkh was disclosed at May 6, 2026, 5:13 pm | Uncontrolled Resource Consumption
A deadlock vulnerability was discovered in the Monero JSON-RPC interface that allowed a remote, unauthenticated attacker to completely paralyze any Monero node with a single HTTP request containing specific batch methods, leading to permanent denial of service. The vulnerability affected all releases of Monero up to version 0.18.4.2 and likely previous versions, across all operating systems. The vulnerability was rated as critical, with a CVSS 3.0 score of 10.0.
![[Image: e72398fe92beda2aa80d0329e8b9f4febece7568.gif]](https://64.media.tumblr.com/834502d05f9b014cbc37366fe428a5a7/13cb9841c0799d7a-ff/s500x560/e72398fe92beda2aa80d0329e8b9f4febece7568.gif)
