Release PSA: Critical P2Pool security update · SChernykh/p2pool · GitHub

//releases/show" data-turbo-transient="true" />

Skip to content

Search or jump to...

Search code, repositories, users, issues, pull requests...

-->

Search

Clear

Search syntax tips

Provide feedback

--><br>We read every piece of feedback, and take your input very seriously.

Include my email address so I can be contacted

Cancel

Submit feedback

Saved searches

Use saved searches to filter your results more quickly

-->

Name

Query

To see all available qualifiers, see our documentation.

Cancel

Create saved search

Sign in

//releases/show;ref_cta:Sign up;ref_loc:header logged out"}"<br>Sign up

Appearance settings

Resetting focus

You signed in with another tab or window. Reload to refresh your session.<br>You signed out in another tab or window. Reload to refresh your session.<br>You switched accounts on another tab or window. Reload to refresh your session.

Dismiss alert

{{ message }}

SChernykh

p2pool

Public

Notifications<br>You must be signed in to change notification settings

Fork<br>179

Star<br>1.5k

PSA: Critical P2Pool security update

Pre-release

Pre-release

Compare

Choose a tag to compare

Sorry, something went wrong.

Filter

Loading

Sorry, something went wrong.

Uh oh!

There was an error while loading. Please reload this page.

No results found

View all tags

SChernykh

released this

10 Jun 06:35

Immutable<br>release. Only release title and notes can be modified.

pre-release-v4.16

8ef5572

PSA: Critical P2Pool security update

A critical vulnerability has been discovered in all currently released P2Pool versions.

This is a P2Pool consensus bug that can allow an attacker to affect the calculated payouts of miners - up to the whole block reward going to the attacker.

To avoid facilitating exploitation, no technical details will be published at this time. The vulnerability does not enable RCE (remote code execution), node crashes, or resource-exhaustion attacks. However, affected nodes remain financially vulnerable until updated.

A patched P2Pool release will be published on 2026-06-13 (this Saturday) at 15:00 UTC . All users must update as soon as the release becomes available.

Anyone continuing to run an older version after that time risks losing mining payouts if the vulnerability is exploited. Note that mining payouts which are already in your wallet are safe. Updating is strongly recommended even if your node appears to be operating normally.

Source code, signed binaries, checksums, and upgrade instructions will be published through the official P2Pool release channels only - https://github.com/SChernykh/p2pool/releases

Download releases only from the official page and verify all downloaded files before installation.

Because P2Pool is open source, the fix will become visible once published. A capable attacker may be able to develop an exploit within hours, leaving miners who have not updated exposed.

It is essential that you are available to update promptly at the time of the release, or have a carefully tested automatic update process that downloads, verifies, and installs the official release.

Further technical details will be disclosed after sufficient adoption of the patched release.

We are continuously monitoring the network and have reviewed the available historical logs. We have found no evidence that this vulnerability has been exploited.

Assets

Loading

Uh oh!

There was an error while loading. Please reload this page.

-->

❤️<br>14<br>SpidFightFR, John-Doggett, hundehausen, viktor4096, alexterekhov-dev, CocolinoFan, fafato1, 06kellyjac, JuanForge, sethforprivacy, and 4 more reacted with heart emoji

All reactions

❤️<br>14 reactions

14 people reacted

You can’t perform that action at this time.