The bitcoinj library is a Java implementation of the Bitcoin protocol. Prior to 0.17.1, ScriptExecution.correctlySpends() contains two fast-path verification bugs for standard P2PKH and native P2WPKH spends in core/src/main/java/org/bitcoinj/script/ScriptExecution.java. In both branches, bitcoinj verifies an attacker-controlled signature/public-key pair but fails to verify that the public key is the one committed to by the output being spent. As a result, any attacker keypair can satisfy bitcoinj's local verification for arbitrary P2PKH and P2WPKH outputs. This vulnerability is fixed in 0.17.1.
Casky was already ahead
This CVE exploits attack patterns that Casky's 0matched skills already investigate — long before this vulnerability was disclosed. Claude's reasoning model maps these techniques to MITRE ATT&CK, so practitioners who ran these skills have already seen the threat behaviour in their findings.
CVE-2026-44714 is a critical cryptographic validation flaw in the bitcoinj library affecting Bitcoin transaction verification. The vulnerability exists in the ScriptExecution.correctlySpends() method, where fast-path optimizations for standard payment types (P2PKH and native P2WPKH) verify attacker-supplied signature and public-key pairs without confirming that the public key matches the one committed to by the output being spent. This allows attackers to forge valid signatures for transactions they shouldn't be able to sign, effectively enabling unauthorized fund transfers. Any application or service using bitcoinj versions prior to 0.17.1 for transaction validation—including cryptocurrency exchanges, wallet implementations, payment processors, and blockchain nodes—faces the risk of accepting fraudulent transactions as legitimate.
While no MITRE ATT&CK techniques are formally mapped to this vulnerability, practitioners using Casky would detect attack patterns aligned with Credential Access and Impact objectives. Claude's extended reasoning capabilities would flag anomalous signature verification patterns—specifically, transactions where cryptographic proofs succeed despite mismatched key material, or repeated acceptance of transactions from unexpected keypairs. Security teams would observe findings related to signature validation failures that should have been caught, unusual transaction acceptance rates from unauthenticated sources, and blockchain ledger inconsistencies indicating accepted unauthorized spends. Detection would focus on behavioral analysis of transaction processing logs, identifying when the verification logic succeeds despite insufficient cryptographic commitment validation. Practitioners should prioritize patching to bitcoinj 0.17.1+ and auditing transaction histories for suspicious accepted spends.
Composite risk scoring from EPSS, CISA KEV, Shodan, and GreyNoise — 21 security APIs correlated into a single Casky Risk Score. Coming in Casky Pro. Join early access →
Casky has 0 skills that investigate the attack patterns behind CVE-2026-44714. Run one and get CVSS-scored findings in 3 minutes.
Run the skill that detects this →© 2026 Casky.AI, Inc. · AI Security Investigation