Login Sign Up

CVE-2021-41591

9.4 CRITICAL

📋 TL;DR

CVE-2021-41591 is a vulnerability in ACINQ Eclair Lightning Network implementation that allows attackers to exploit dust HTLC (Hashed TimeLock Contract) exposure to cause loss of funds. This affects Lightning Network node operators running vulnerable Eclair versions, potentially allowing malicious peers to force channel closures and steal funds.

💻 Affected Systems

Products:
  • ACINQ Eclair
Versions: All versions before 0.6.3
Operating Systems: All platforms running Eclair
Default Config Vulnerable: ⚠️ Yes
Notes: All Eclair nodes with default configuration are vulnerable. The vulnerability affects the Lightning Network protocol implementation specifically.

📦 What is this software?

Eclair by Acinq

View all CVEs affecting Eclair →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete loss of funds in vulnerable Lightning Network channels through forced channel closures and theft of channel balances.

🟠

Likely Case

Targeted attacks against vulnerable nodes resulting in partial or complete channel fund loss, particularly affecting nodes with many open channels.

🟢

If Mitigated

No fund loss with proper patching; unpatched nodes remain vulnerable to sophisticated attackers.

🌐 Internet-Facing: HIGH - Lightning Network nodes are inherently internet-facing and interact with potentially malicious peers.
🏢 Internal Only: LOW - Lightning Network operates on public peer-to-peer connections, not internal networks.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires establishing Lightning Network channels with vulnerable nodes. The 'good griefing' attack technique is documented in Lightning Network research papers and mailing lists.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.6.3 and later

Vendor Advisory: https://github.com/ACINQ/eclair/pull/1985

Restart Required: Yes

Instructions:

1. Stop Eclair service. 2. Backup configuration and data. 3. Update to Eclair 0.6.3 or later. 4. Restart Eclair service. 5. Monitor for successful operation.

🔧 Temporary Workarounds

Close vulnerable channels

all

Manually close all existing Lightning Network channels to prevent exploitation through established connections.

eclair-cli close --channelId=<channel_id>
eclair-cli channels

🧯 If You Can't Patch

  • Disable all Lightning Network functionality and operate as Bitcoin-only node
  • Close all existing channels and do not open new channels until patched

🔍 How to Verify

Check if Vulnerable:

Check Eclair version: if version is below 0.6.3, the system is vulnerable.

Check Version:

eclair-cli getinfo | grep version

Verify Fix Applied:

Confirm Eclair version is 0.6.3 or higher and monitor for successful channel operations without forced closures.

📡 Detection & Monitoring

Log Indicators:

  • Unexpected channel force-closures
  • Multiple dust HTLC failures
  • Channel balance discrepancies

Network Indicators:

  • Unusual pattern of small HTLC payments
  • Rapid channel opening/closing from same peer

SIEM Query:

source="eclair.log" AND ("force-close" OR "dust HTLC" OR "channel failure")

📊 Metadata

CVE ID: CVE-2021-41591
CVSS v3 Score: 9.4 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H
CWE: CWE-770
Published: October 4, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-41591, you might also want to check these:

CVE-2024-44241 9.8

This vulnerability in DCP firmware allows attackers to execute arbitrary code or cause system crashe...

Same vulnerability type (CWE-770)
CVE-2025-11832 9.8

This CVE describes a resource allocation vulnerability in Azure Access Technology BLU-IC2 and BLU-IC...

Same vulnerability type (CWE-770)
CVE-2021-47875 9.8

GeoGebra CAS Calculator 6.0.631.0 contains a buffer overflow vulnerability that allows attackers to ...

Same vulnerability type (CWE-770)