diff --git a/_includes/references.md b/_includes/references.md
index 0b15343a0..6ede6f498 100644
--- a/_includes/references.md
+++ b/_includes/references.md
@@ -166,6 +166,7 @@ for details --> {% endcomment %}
[BIP320]: https://github.com/bitcoin/bips/blob/master/bip-0320.mediawiki
[BIP321]: https://github.com/bitcoin/bips/blob/master/bip-0321.mediawiki
[BIP322]: https://github.com/bitcoin/bips/blob/master/bip-0322.mediawiki
+[BIP323]: https://github.com/bitcoin/bips/blob/master/bip-0323.mediawiki
[BIP324]: https://github.com/bitcoin/bips/blob/master/bip-0324.mediawiki
[BIP325]: https://github.com/bitcoin/bips/blob/master/bip-0325.mediawiki
[BIP326]: https://github.com/bitcoin/bips/blob/master/bip-0326.mediawiki
diff --git a/_posts/cs/newsletters/2026-05-08-newsletter.md b/_posts/cs/newsletters/2026-05-08-newsletter.md
index 38b2be11e..7f4467e46 100644
--- a/_posts/cs/newsletters/2026-05-08-newsletter.md
+++ b/_posts/cs/newsletters/2026-05-08-newsletter.md
@@ -12,49 +12,6 @@ o používání veřejných dokladů o podvodu pro zlepšení incentiv u just-in
Též nechybí naše pravidelné rubriky s popisem významných změn v populárním bitcoinovém
páteřním software.
-
-
## Novinky
- **Možné ochrany proti identifikaci uzlu**: Naiyoma zaslala do fóra Delving Bitcoin
diff --git a/_posts/en/newsletters/2026-05-08-newsletter.md b/_posts/en/newsletters/2026-05-08-newsletter.md
index 7783cb81d..e66b3a8ea 100644
--- a/_posts/en/newsletters/2026-05-08-newsletter.md
+++ b/_posts/en/newsletters/2026-05-08-newsletter.md
@@ -12,49 +12,6 @@ links to discussion of using public fraud proofs to improve incentives around
just-in-time channels. Also included are our regular sections describing notable
changes to popular Bitcoin infrastructure software.
-
-
## News
- **Possible solutions to node fingerprinting**: Naiyoma [posted][fing del] to Delving Bitcoin
diff --git a/_posts/en/newsletters/2026-05-15-newsletter.md b/_posts/en/newsletters/2026-05-15-newsletter.md
new file mode 100644
index 000000000..4e0b8dceb
--- /dev/null
+++ b/_posts/en/newsletters/2026-05-15-newsletter.md
@@ -0,0 +1,194 @@
+---
+title: 'Bitcoin Optech Newsletter #405'
+permalink: /en/newsletters/2026/05/15/
+name: 2026-05-15-newsletter
+slug: 2026-05-15-newsletter
+type: newsletter
+layout: newsletter
+lang: en
+---
+This week's newsletter announces the responsible disclosure of a vulnerability
+that could allow an attacker with sufficient proof-of-work to crash Bitcoin Core
+nodes and describes a draft BIP proposal for sharing the UTXO set over the P2P
+network. Also included are our regular sections announcing a new release
+candidate and describing notable changes to popular Bitcoin infrastructure
+software.
+
+## News
+
+- **Bitcoin Core script interpreter remote crash disclosure:**
+ Niklas Gögge [posted][topic cve mailing list] to the Bitcoin-Dev mailing list
+ disclosing [CVE-2024-52911][topic cve disclosure], a vulnerability affecting versions of Bitcoin Core
+ after version 0.14.0 and before 29.0. After version 0.14.0 (released
+ March 2017), validating a specially-crafted block could cause the node to access
+ previously freed memory. During validation, data required for
+ checking transaction inputs is cached. The bug occurred due to object lifetime
+ ordering during parallel script validation, where cached precomputed
+ transaction data could be freed before background script-check threads
+ completed. For specially-crafted invalid blocks, it was possible for this data
+ to be destroyed while it was still being accessed by background threads.
+
+ An attacker with sufficient proof of work could, using the specially-crafted invalid block, crash a
+ victim's node. Because of the nature of use-after-free bugs, it is possible
+ to perform remote code execution on the victims' nodes, but actually executing
+ that attack is unlikely due to the difficulty of crafting a block that achieves it.
+
+ The vulnerability was discovered and [responsibly disclosed][topic responsible disclosures] by Cory Fields, who
+ also provided a proof of concept and proposed mitigation. The issue was fixed
+ in Bitcoin Core 29.0.
+
+- **BIP proposal for UTXO set sharing over P2P network**: Fabian Jahr
+ [posted][p2p share ml] to the Bitcoin-Dev mailing list about a
+ [draft BIP][BIPs #2137] for sharing the UTXO set over the P2P layer.
+ The goal of the proposal is to improve the [assumeUTXO][topic assumeutxo]
+ feature by providing a way for new nodes to receive the UTXO set directly
+ from peers, instead of from external sources. In particular, the proposal
+ defines an extension to the P2P protocol which introduces a new service bit,
+ four new P2P messages, and a UTXO set merkle root known to the requesting node, to
+ verify the correctness of the provided UTXO set.
+
+ The proposal received feedback. Antoine Riard proposed to
+ build the current draft on top of [BIP434][], which defines peer feature negotiation
+ (see [Newsletter #386][news386 feat negot]), and brought up some concerns about
+ malicious peers forwarding a malformed UTXO set. Eric Voskuil warned the author about
+ the long-term risks of such a BIP, which could lead to new proposals for miner
+ commitments to UTXO state. According to Voskuil, this would weaken Bitcoin's security model, with new nodes trusting miners instead of verifying the whole chain
+ from the genesis block.
+
+## Releases and release candidates
+
+_New releases and release candidates for popular Bitcoin infrastructure
+projects. Please consider upgrading to new releases or helping to test
+release candidates._
+
+- [Core Lightning 26.06rc1][] is a release candidate for the next major version
+ of this popular LN node which includes new `graceful`, `sendamount`, and
+ `xkeysend` RPCs, begins the `pay` deprecation cycle in favor of `xpay`, and
+ adds BOLT12 payer-proof RPC support.
+
+## Notable code and documentation changes
+
+_Notable recent changes in [Bitcoin Core][bitcoin core repo], [Core
+Lightning][core lightning repo], [Eclair][eclair repo], [LDK][ldk repo],
+[LND][lnd repo], [libsecp256k1][libsecp256k1 repo], [Hardware Wallet
+Interface (HWI)][hwi repo], [Rust Bitcoin][rust bitcoin repo], [BTCPay
+Server][btcpay server repo], [BDK][bdk repo], [Bitcoin Improvement
+Proposals (BIPs)][bips repo], [Lightning BOLTs][bolts repo],
+[Lightning BLIPs][blips repo], [Bitcoin Inquisition][bitcoin inquisition
+repo], and [BINANAs][binana repo]._
+
+- [Bitcoin Core #35209][] now constructs the `txsdata` vector before the
+ `CCheckQueueControl` object, addressing the root cause of
+ [CVE-2024-52911][topic cve disclosure] (see the news section above). Since C++ destroys
+ local objects in reverse construction order, this ensures the script-check
+ queue is completed before the precomputed transaction data referenced by
+ queued `CScriptCheck` objects is destroyed. This prevents early-return
+ validation paths from causing background script-check threads to access freed
+ memory. This vulnerability was previously fixed in Bitcoin Core 29.0 through
+ a covert fix of the early-return behavior (see [Newsletter #333][news333 fix]).
+
+- [BIPs #2116][] publishes [BIP323][], which proposes expanding the number of
+ bits available in `nVersion`'s nonce space for miners from 16 to 24,
+ superseding [BIP320][]. It reserves bits 5 through 28 for header-only mining
+ without relying on rolling `nTime` more often than once per second. See
+ [Newsletter #395][news395 nversion] for previous discussion.
+
+- [BIPs #2141][] and [BIPs #2155][] revise and extend [BIP322][], which originally
+ proposed a [generic signed message format][topic generic signmessage] in 2018. The update addresses
+ long-standing open questions and feedback, fleshes out the proposed proof of
+ funds construction, and adds a PSBT-based signing flow. The revision makes
+ breaking changes to the previous specification including the addition of a new
+ human-readable prefix to the signature and changes to the proof of funds
+ signature format. A more comprehensive reference implementation based on btcd
+ and additional test vectors are added as the BIP is advanced to
+ Complete and formally proposed to the ecosystem for adoption.
+
+- [Core Lightning #9116][] adds experimental support for [BOLT12][topic offers]
+ payer proofs, implementing the latest draft proposal from [BOLTs #1295][].
+ Payer proofs are a BOLT12 receipt format that allows
+ [a payer to prove][topic proof of payment] that they paid an invoice using the
+ payment preimage, the invoicing node's signature, and a payer signature from
+ `invreq_payer_id`, while allowing selected invoice fields to be omitted for
+ privacy. The PR adds common routines for creating and validating payer proofs,
+ updates `bolt12-cli`, and adds an experimental `createproof` RPC. The format
+ remains experimental and may change.
+
+- [Core Lightning #9110][] deprecates the `pay`, `paystatus`, `keysend`,
+ `getroute`, `renepay`, and `renepaystatus` RPCs, with deprecation beginning
+ in version 26.06 and removal scheduled for version 27.03. The `xpay` RPC (see
+ [Newsletter #330][news330 xpay]) now handles most pay invocations, and an
+ `xkeysend` RPC is added to maintain [keysend][topic spontaneous payments]
+ functionality. The PR also expands `xpay` with `label` and `localinvreqid`
+ parameters, CLTV shadow routing, improved handling of repeated payments, and
+ handling of `channel_update` errors. It also updates `getroutes` to return
+ clearer per-hop amount, node, and CLTV fields, and updates `sendpay` to accept
+ routes using those fields.
+
+- [LDK #4598][] updates `OutputSweeper` to ensure its `pending_sweep` flag is
+ cleared even if an in-progress sweep attempt is cancelled before completion.
+ The flag prevents concurrent sweep attempts, but if it remained set after a
+ cancelled sweep, later attempts would be incorrectly skipped, potentially
+ preventing time-sensitive [HTLC][topic htlc] outputs from being claimed until
+ the node restarted. The PR now clears the flag using a guard object that runs
+ on normal return, error, or cancellation.
+
+- [LDK #4528][] commits BOLT11 `payment_metadata` (see
+ [Newsletter #182][news182 metadata]) to the inbound payment HMAC. When
+ metadata is included in an invoice, LDK now requires that the final onion
+ payload return the same metadata before accepting the payment, preventing
+ sender-side modification or omission. In addition, the invoice builder now
+ requires payment metadata by default, but users can opt out using
+ `optional_payment_metadata()` for compatibility with senders that don't
+ support it.
+
+- [LND #10612][] adds graph-based pathfinding for [onion messages][topic onion
+ messages], building on earlier forwarding support (see
+ [Newsletter #396][news396 onion]). LND can now find a route to a destination
+ through nodes that advertise onion message support using feature bits 38/39.
+ Since onion messages are not payments, the search does not consider liquidity
+ or fees.
+
+- [BTCPay Server #7354][] fixes a hot wallet key exposure issue introduced after
+ [BTCPay Server #7329][] added granular wallet permissions. Users with
+ wallet-signing permission, but not permission to view the wallet seed or modify
+ store settings, could be exposed to derived hot wallet private keys during
+ [PSBT][topic psbt] signing. The PR introduces a `HotwalletSafe` helper to
+ centralize hot-wallet access, separates permission to sign from permission to
+ view seed material, and updates signing flows to use the hot wallet
+ server-side without returning private signing keys through HTTP form fields.
+
+- [BDK #2195][] fixes syncing from Electrum servers when a transaction's first
+ output isn't indexed, such as an `OP_RETURN` output. Previously,
+ `BdkElectrumClient::populate_with_txids` queried confirmation history using
+ the first output's script, which could return an empty history. BDK now uses
+ the first indexed output script, or falls back to an input's previous output
+ script if none of the outputs are indexed.
+
+- [Bitcoin Inquisition #100][] implements [BIP446][]'s `OP_TEMPLATEHASH` opcode
+ for testing proposed consensus changes on [signet][topic signet].
+ `OP_TEMPLATEHASH` is a [tapscript][topic tapscript] opcode that pushes a hash
+ of the spending transaction onto the stack (see
+ [Newsletter #397][news397 templatehash]). The PR also adds an extensive test
+ framework.
+
+- [BINANAs #20][] assigns BIN-2026-0002 to a future Bitcoin Inquisition
+ implementation of [BIP443][]'s [OP_CHECKCONTRACTVERIFY][topic matt] (OP_CCV)
+ opcode. See Newsletters [#348][news348 op_ccv] and [#356][news356 op_ccv] for
+ previous discussion of this proposed [covenant][topic covenants].
+
+{% include snippets/recap-ad.md when="2026-05-19 16:30" %}
+{% include references.md %}
+{% include linkers/issues.md v=2 issues="2137,20,100,1295,2116,2141,2155,2195,4528,4598,7329,7354,9110,9116,10612,35209" %}
+[topic cve mailing list]: https://groups.google.com/g/bitcoindev/c/e1UEdViSYkU
+[topic cve disclosure]: https://bitcoincore.org/en/2026/05/05/disclose-cve-2024-52911/
+[Core Lightning 26.06rc1]: https://github.com/ElementsProject/lightning/releases/tag/v26.06rc1
+[news333 fix]: /en/newsletters/2024/12/13/#bitcoin-core-31112
+[news330 xpay]: /en/newsletters/2024/11/22/#core-lightning-7799
+[news182 metadata]: /en/newsletters/2022/01/12/#bolts-912
+[news396 onion]: /en/newsletters/2026/03/13/#lnd-10089
+[news395 nversion]: /en/newsletters/2026/03/06/#draft-bip-for-expanded-nversion-nonce-space-for-miners
+[news397 templatehash]: /en/newsletters/2026/03/20/#bips-1974
+[news348 op_ccv]: /en/newsletters/2025/04/04/#op-checkcontractverify-semantics
+[news356 op_ccv]: /en/newsletters/2025/05/30/#bips-1793
+[p2p share ml]: https://groups.google.com/g/bitcoindev/c/rThmyI8ZN3Q
+[news386 feat negot]: /en/newsletters/2026/01/02/#peer-feature-negotiation
diff --git a/_posts/fr/newsletters/2026-05-08-newsletter.md b/_posts/fr/newsletters/2026-05-08-newsletter.md
index 688a9c8c5..0a13438e4 100644
--- a/_posts/fr/newsletters/2026-05-08-newsletter.md
+++ b/_posts/fr/newsletters/2026-05-08-newsletter.md
@@ -11,50 +11,6 @@ Le bulletin de cette semaine décrit des solutions possibles au fingerprinting d
preuves publiques de fraude pour améliorer les incitations autour des canaux just-in-time. Sont également incluses nos sections régulières
décrivant les changements notables dans les logiciels d'infrastructure Bitcoin populaires.
-
-
-
## Nouvelles
- **Solutions possibles au fingerprinting des nœuds** : Naiyoma a [publié][fing del] sur Delving Bitcoin à propos de solutions possibles au
diff --git a/_posts/ja/newsletters/2026-05-08-newsletter.md b/_posts/ja/newsletters/2026-05-08-newsletter.md
index f966577dc..e0fc789b7 100644
--- a/_posts/ja/newsletters/2026-05-08-newsletter.md
+++ b/_posts/ja/newsletters/2026-05-08-newsletter.md
@@ -7,93 +7,10 @@ type: newsletter
layout: newsletter
lang: ja
---
-
-
今週のニュースレターでは、ノードのフィンガープリンティングに対して考えられるソリューションと、
JITチャネルにおけるインセンティブ向上ために公開Fraud Proofを利用する議論のリンクを掲載しています。
また、人気のBitcoin基盤ソフトウェアの注目すべき更新について解説する、恒例のセクションも含まれています。
-
-
## ニュース
- **ノードのフィンガープリンティングに対して考えられるソリューション**:
diff --git a/_topics/en/assumeutxo.md b/_topics/en/assumeutxo.md
index a2422ab85..b97c774a2 100644
--- a/_topics/en/assumeutxo.md
+++ b/_topics/en/assumeutxo.md
@@ -79,6 +79,9 @@ optech_mentions:
- title: "Bitcoin Core #33477 improves assumeUTXO snapshot creation using a temporary chainstate"
url: /en/newsletters/2026/04/24/#bitcoin-core-33477
+ - title: "Draft BIP proposed for sharing UTXO set over P2P for assumeUTXO bootstrapping"
+ url: /en/newsletters/2026/05/15/#bip-proposal-for-utxo-set-sharing-over-p2p-network
+
## Optional. Same format as "primary_sources" above
see_also:
- title: "Bitcoin Core issue #15605: AssumeUTXO discussion"
diff --git a/_topics/en/cve.md b/_topics/en/cve.md
index 12c5dccf9..d1cc2f04d 100644
--- a/_topics/en/cve.md
+++ b/_topics/en/cve.md
@@ -22,6 +22,7 @@ title-aliases:
- CVE-2020-26896
- CVE-2021-31876
- CVE-2023-39910
+ - CVE-2024-52911
## Required. At least one category to which this topic belongs. See
## schema for options
@@ -97,6 +98,9 @@ optech_mentions:
- title: "CVE-2015-3641: out-of-memory crash when Bitcoin Core would accept over 4 GB in messages from peers"
url: /en/newsletters/2024/07/05/#node-crash-dos-from-multiple-peers-with-large-messages
+ - title: "CVE-2024-52911: script interpreter remote crash in Bitcoin Core"
+ url: /en/newsletters/2026/05/15/#bitcoin-core-script-interpreter-remote-crash-disclosure
+
## Optional. Same format as "primary_sources" above
see_also:
- title: Responsible disclosures
@@ -112,6 +116,15 @@ excerpt: >
extra:
cves:
+ CVE-2024-52911:
+ link: /en/newsletters/2026/05/15/#bitcoin-core-script-interpreter-remote-crash-disclosure
+ summary: >
+ Use-after-free vulnerability in Bitcoin Core's parallel script
+ validation affecting versions after 0.14.0 and before 29.0. An
+ attacker with sufficient proof-of-work could crash victims' nodes
+ and potentially achieve remote code execution. Discovered by Cory
+ Fields and fixed in Bitcoin Core 29.0.
+
CVE-2023-39910:
link: /en/newsletters/2023/08/09/#libbitcoin-bitcoin-explorer-security-disclosure
summary: >
@@ -235,4 +248,3 @@ extra:
{% include references.md %}
{% include linkers/issues.md issues="" %}
-
diff --git a/_topics/en/generic-signmessage.md b/_topics/en/generic-signmessage.md
index 2c2f48569..7276c721c 100644
--- a/_topics/en/generic-signmessage.md
+++ b/_topics/en/generic-signmessage.md
@@ -79,6 +79,9 @@ optech_mentions:
- title: "Bitcoin Knots 28.1 adds support for BIP322 generic signmessage"
url: /en/newsletters/2025/04/18/
+ - title: "BIPs #2141 and #2155 update BIP322 with proof of funds construction and PSBT-based signing flow"
+ url: /en/newsletters/2026/05/15/#bips-2141
+
## Optional. Same format as "primary_sources" above
# see_also:
# - title:
diff --git a/_topics/en/matt.md b/_topics/en/matt.md
index 76e546139..1a0b9b39a 100644
--- a/_topics/en/matt.md
+++ b/_topics/en/matt.md
@@ -47,6 +47,9 @@ optech_mentions:
- title: "BIPs #1793 merges BIP443 which proposes the OP_CHECKCONTRACTVERIFY opcode"
url: /en/newsletters/2025/05/30/#bips-1793
+ - title: "BINANAs #20 assigns BIN-2026-0002 to OP_CHECKCONTRACTVERIFY proposal"
+ url: /en/newsletters/2026/05/15/#binanas-20
+
## Optional. Same format as "primary_sources" above
see_also:
- title: Covenants
diff --git a/_topics/en/onion-messages.md b/_topics/en/onion-messages.md
index dc3c8c15b..832105bdc 100644
--- a/_topics/en/onion-messages.md
+++ b/_topics/en/onion-messages.md
@@ -104,6 +104,9 @@ optech_mentions:
- title: "Discussion of onion message jamming and mitigation techniques"
url: /en/newsletters/2026/04/24/#onion-message-jamming-in-the-lightning-network
+ - title: "LND #10612 adds graph-based pathfinding for onion messages"
+ url: /en/newsletters/2026/05/15/#lnd-10612
+
## Optional. Same format as "primary_sources" above
see_also:
- title: Blinded paths
diff --git a/_topics/en/responsible-disclosures.md b/_topics/en/responsible-disclosures.md
index f284c7deb..19a700fa7 100644
--- a/_topics/en/responsible-disclosures.md
+++ b/_topics/en/responsible-disclosures.md
@@ -186,6 +186,10 @@ optech_mentions:
url: /en/newsletters/2025/10/31//#cpu-dos-from-unconfirmed-transaction-processing
date: 2025-04-25
+ - title: "Cory Fields responsibly disclosed a script interpreter remote crash vulnerability in Bitcoin Core"
+ url: /en/newsletters/2026/05/15/#bitcoin-core-script-interpreter-remote-crash-disclosure
+ date: 2025-11-02
+
## Optional. Same format as "primary_sources" above
see_also:
- title: "Common Vulnerabilities and Exposures (CVEs)"