Your signal. Your price.
Core Lightning v26.06 deprecates the Pay plugin in favor of XPay, which uses the AskRené plugin and minimum cost flow algorithms for improved multipath payment routing, and adds a payer proof implementation for Bolt 12 offers.
A Core Lightning denial-of-service vulnerability allowed remote attackers to crash nodes by sending an all-zero TXID during channel opening. The bug was fixed in version 26.0.4.
Chand discovered a remote denial-of-service vulnerability in Core Lightning by fuzzing the open channel flow during a Summer of Bitcoin internship.
The Core Lightning bug was triggered by a malicious peer sending a funding_created message with a zeroed funding transaction ID. This crashed the hardware security module daemon, forcing the whole node offline.
The Core Lightning vulnerability was fixed in version 26.04 after disclosure to CLN security in July 2024 and patching in August 2024. All node operators are advised to upgrade.
Chand criticizes Core Lightning's slow fix deployment pace as a sign Lightning security is undervalued, arguing the ecosystem should invest more in fuzzing like Bitcoin Core does.