Bitcoin Core was susceptible to double-spending attack for years
Bitcoin Core had a serious double-spending vulnerability for a year, which in theory could have led to a blockchain fork of affected nodes and bug-free nodes. The vulnerability was not abused.
The vulnerability, with indication CVE-2018-17144 was rectified last week with the release of Bitcoin Core 0.16.3 and 0.17.0rc4. Initially the developers received a report about a denial-of-service-bug, but on closer inspection an inflation vulnerability came to light, according to the full disclosure of Bitcoin Core.
Optimizations in Bitcoin Core 0.14, which appeared last March, had the unintended side-effect that nodes could crash when processing blocks with transactions that coins tried to spend several times. With the arrival of Bitcoin Core 0.15.0, just over a year ago, the problems became bigger. The adjustments caused nodes to accept the double-spend transactions in some cases.
Bitcoin Magazine describes that a malicious in the worst case could increase the amount of currency by copying its own coins. Nodes with the vulnerable Bitcoin Core versions would accept these coins, which could theoretically create a fork. In practice, this would be unlikely, because the older, unaffected nodes would probably have too low a hashrate.
Meanwhile more than half of the hashrate had been upgraded to Bitcoin Core 0.16.3, with which an attacker no longer can successfully displace the valid block chain.