Impact

An unauthenticated peer could crash a victim lnd node by sending a channel_update or node_announcement carrying a timestamp of 0. In the gossiper’s announcement de-duplication path, a first-seen message with timestamp 0 skips both the discard branch and the initialization branch and falls through to an assignment into a nil senders map, triggering a panic (“assignment to entry in nil map”) that crashes the node.

There is no fund-loss path. The node restarts cleanly, but it can be crashed again by repeating the attack.

Severity

Scored against the Lightning Labs severity taxonomy (4-dimension rubric):

Dimension Score Reasoning
Impact Low Panic and crash. The node restarts cleanly; no fund-loss path and no sustained liveness invalidation.
Attack Vector High Network. Any peer can deliver the malformed channel_update / node_announcement with no prior relationship.
Exploitability High A single zero-timestamp message reliably triggers the panic on a default configuration.
Virality Low The node crashes while batching the message for rebroadcast, before relaying it, so the attack does not self-propagate through gossip. Each victim must be targeted directly.

Result: T3. Rule 3 (Impact = Low, base T3); no promotion because Virality is not High. A non-viral crash-DoS is T3 regardless of how trivially it triggers.

Patches

The issue was fixed in lnd v0.20.1-beta by lnd #10469 (“lnwire: enforce non-zero timestamp in gossip messages”), which rejects zero-timestamp gossip messages at parse time so they never reach the affected code path. Users should update to a version >= v0.20.1-beta to be protected.

Disclosure timeline

  • Reported to Lightning Labs by Nishant Bansal.
  • Reproduced and verified by Matt Morehouse using a proof-of-concept attack program.
  • Fix merged in lnd #10469 and released in v0.20.1-beta.
  • Public disclosure: 2026-06-18.

Credit

Reported by Nishant Bansal (@NishantBansal2003).

References