Komodo Issues Critical Security Update: Node Operators and Exchanges Urged to Upgrade Immediately

The Komodo network has released an urgent security update for its core daemon (komodod) and its graphical interface counterpart, KomodoOcean. The latest releases - komodod v0.9.2-2 and KomodoOcean v0.9.2-rc4 - patch multiple remotely reachable memory-safety vulnerabilities discovered in the block and transaction validation pathways.

Exchanges, mining pools, and all independent node operators are strongly advised to update their infrastructure immediately. Notably, this advisory extends beyond the primary Komodo (KMD) chain; operators of all associated assetchains must also apply the patch to secure their networks.

What the Update Fixes

The primary focus of this security release is closing several critical vectors that could allow an attacker to exploit memory-safety bugs remotely. Left unpatched, these vulnerabilities could potentially lead to network disruptions or node crashes.

According to the official release notes, the patches address the following key areas:

• Memory-Safety in Validation: The update resolves a remote null-dereference and a use-after-free vulnerability within block and script validation. Specifically, it introduces safeguards for zero-length pushes in IsCoinImport() and empty OP_RETURN outputs in the Heir Crypto-Condition (CC) module. It also fixes a use-after-free bug in ConnectBlock() (classified under the CVE-2024-52911 family) by ensuring script-check threads are properly joined before transaction data is destroyed.
• Hardened Block Checks: The CheckBlock() function has been fortified against uninitialized public keys (pubkey33) and an out-of-bounds read vulnerability in komodo_checkopret().
• Disabling Unsafe P2P Handlers: The update proactively disables the unsafe NSPV message processing surface. Nodes will now refuse to start if the -nspv_msg flag is enabled, as the getnSPV/nSPV peer-to-peer handlers were found to be remotely memory-unsafe, posing risks of stack overflows and out-of-bounds reads.

A Note on Antivirus Detections

For users upgrading the KomodoOcean GUI wallet (particularly on macOS and Linux), the developers noted that some antivirus software might flag the binaries as a "RiskTool" or "Miner." This is a known false positive common to many cryptocurrency wallets, including Bitcoin Core, because the software inherently contains mining capabilities.

Action Required

To maintain network integrity and protect against potential exploits, the transition from rc3 to the latest patched versions is mandatory for all participants.

• komodod users: Upgrade to v0.9.2-2.
• KomodoOcean users: Upgrade to v0.9.2-rc4.

Infrastructure providers handling KMD or any Komodo-based assetchains should prioritize this update in their deployment pipelines today.