CVE-2026-44714: bitcoinj has a ScriptExecution P2PKH/P2WPKH Verification Bypass

May 8, 2026

ScriptExecution.correctlySpends() contains two fast-path verification bugs for standard P2PKH and native P2WPKH spends in core/src/main/java/org/bitcoinj/script/ScriptExecution.java.

In both branches, bitcoinj verifies an attacker-controlled signature/public-key pair but fails to verify that the public key is the one committed to by the output being spent. As a result, any attacker keypair can satisfy bitcoinj’s local verification for arbitrary P2PKH and P2WPKH outputs.

This doesn’t affect the SPV (simple payment verification) trust model, as this model follows PoW and doesn’t verify input signatures at all.

References

Code Behaviors & Features

Detect and mitigate CVE-2026-44714 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →