CVE-2020-26264
published 2020-12-11CVE-2020-26264: Go Ethereum, or "Geth", is the official Golang implementation of the Ethereum protocol. In Geth before version 1.9.25 a denial-of-service vulnerability can…
PriorityP434medium6.5CVSS 3.1
AVNACLPRLUINSUCNINAH
EPSS
1.86%
76.6th percentile
Go Ethereum, or "Geth", is the official Golang implementation of the Ethereum protocol. In Geth before version 1.9.25 a denial-of-service vulnerability can make a LES server crash via malicious GetProofsV2 request from a connected LES client. This vulnerability only concerns users explicitly enabling les server; disabling les prevents the exploit. The vulnerability was patched in version 1.9.25.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ethereum | go-ethereum | < 1.9.25 | 1.9.25 |
| ethereum | go_ethereum | < 1.9.25 | 1.9.25 |
| github.com | ethereum_go-ethereum | >= 0 < 1.9.25 | 1.9.25 |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:N/I:N/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Denial of service in github.com/ethereum/go-ethereum
ghsa·2021-06-29
CVE-2020-26264 [MEDIUM] CWE-400 Denial of service in github.com/ethereum/go-ethereum
Denial of service in github.com/ethereum/go-ethereum
### Impact
A DoS vulnerability can make a LES server crash via malicious `GetProofsV2` request from a connected LES client.
### Patches
The vulnerability was patched in https://github.com/ethereum/go-ethereum/pull/21896.
### Workarounds
This vulnerability only concerns users explicitly enabling `les` server; disabling `les` prevents the exploit.
It can also be patched by manually applying the patch in https://github.com/ethereum/go-ethereum/pull/21896.
### For more information
If you have any questions or comments about this advisory:
* Open an issue in [go-ethereum](https://github.com/ethereum/go-ethereum)
* Email us at [[email protected]](mailto:[email protected])
OSV
Denial of service in github.com/ethereum/go-ethereum
osv·2021-06-29
CVE-2020-26264 [MEDIUM] Denial of service in github.com/ethereum/go-ethereum
Denial of service in github.com/ethereum/go-ethereum
### Impact
A DoS vulnerability can make a LES server crash via malicious `GetProofsV2` request from a connected LES client.
### Patches
The vulnerability was patched in https://github.com/ethereum/go-ethereum/pull/21896.
### Workarounds
This vulnerability only concerns users explicitly enabling `les` server; disabling `les` prevents the exploit.
It can also be patched by manually applying the patch in https://github.com/ethereum/go-ethereum/pull/21896.
### For more information
If you have any questions or comments about this advisory:
* Open an issue in [go-ethereum](https://github.com/ethereum/go-ethereum)
* Email us at [[email protected]](mailto:[email protected])
OSV
Nil pointer dereference via malicious RPC message in github.com/ethereum/go-ethereum
osv·2021-04-14
CVE-2020-26264 Nil pointer dereference via malicious RPC message in github.com/ethereum/go-ethereum
Nil pointer dereference via malicious RPC message in github.com/ethereum/go-ethereum
Due to a nil pointer dereference, a maliciously crafted RPC message can cause a panic. If handling RPC messages from untrusted clients, this may be used as a denial of service vector.
No detection rules found.
No public exploits indexed.
https://github.com/ethereum/go-ethereum/commit/bddd103a9f0af27ef533f04e06ea429cf76b6d46https://github.com/ethereum/go-ethereum/pull/21896https://github.com/ethereum/go-ethereum/releases/tag/v1.9.25https://github.com/ethereum/go-ethereum/security/advisories/GHSA-r33q-22hv-j29qhttps://github.com/ethereum/go-ethereum/commit/bddd103a9f0af27ef533f04e06ea429cf76b6d46https://github.com/ethereum/go-ethereum/pull/21896https://github.com/ethereum/go-ethereum/releases/tag/v1.9.25https://github.com/ethereum/go-ethereum/security/advisories/GHSA-r33q-22hv-j29q
2020-12-11
Published