CVE-2020-26241Incorrect Calculation in Ethereum Go-ethereum

CWE-682Incorrect Calculation5 documents4 sources
Severity
7.1HIGHNVD
CNA6.5
EPSS
0.3%
top 46.36%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Github.com Ethereum Go-ethereumEthereum GO EthereumEthereum Go-ethereum
Timeline
PublishedNov 25
Latest updateAug 21

Description

Go Ethereum, or "Geth", is the official Golang implementation of the Ethereum protocol. This is a Consensus vulnerability in Geth before version 1.9.17 which can be used to cause a chain-split where vulnerable nodes reject the canonical chain. Geth's pre-compiled dataCopy (at 0x00...04) contract did a shallow copy on invocation. An attacker could deploy a contract that writes X to an EVM memory region R, then calls 0x00..04 with R as an argument, then overwrites R to Y, and finally invokes the R

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:LExploitability: 2.8 | Impact: 4.2

Affected Packages3 packages

NVDethereum/go_ethereum< 1.9.17
Gogithub.com/ethereum_go-ethereum1.9.71.9.17
CVEListV5ethereum/go-ethereum>= 1.9.7, < 1.9.17

🔴Vulnerability Details

4
OSV
Shallow copy bug in geth in github.com/ethereum/go-ethereum2024-08-21
GHSA
Shallow copy bug in geth2021-06-29
OSV
Shallow copy bug in geth2021-06-29
CVEList
Shallow copy bug in geth2020-11-25
CVE-2020-26241 — Incorrect Calculation | cvebase