CVE-2020-26265 — Incorrect Calculation in Ethereum Go-ethereum

CWE-682 — Incorrect Calculation6 documents5 sources

Severity

5.3MEDIUMNVD

EPSS

0.3%

top 49.82%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Ethereum Go-ethereum Ethereum GO Ethereum Ethereum Go-ethereum

Timeline

PublishedDec 11

Latest updateFeb 21

Description

Go Ethereum, or "Geth", is the official Golang implementation of the Ethereum protocol. In Geth from version 1.9.4 and before version 1.9.20 a consensus-vulnerability could cause a chain split, where vulnerable versions refuse to accept the canonical chain. The fix was included in the Paragade release version 1.9.20. No individual workaround patches have been made -- all users are recommended to upgrade to a newer version.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:NExploitability: 1.6 | Impact: 3.6

Affected Packages3 packages

▶NVDethereum/go_ethereum1.9.4 — 1.9.20

▶Gogithub.com/ethereum_go-ethereum1.9.4 — 1.9.20

▶CVEListV5ethereum/go-ethereum>= 1.9.4, < 1.9.20

🔴Vulnerability Details

OSV

Consensus flaw in github.com/ethereum/go-ethereum↗2021-07-28

▶

GHSA

Consensus flaw during block processing in github.com/ethereum/go-ethereum↗2021-06-29

▶

OSV

Consensus flaw during block processing in github.com/ethereum/go-ethereum↗2021-06-29

▶

CVEList

Consensus flaw during block processing↗2020-12-11

▶

📄Research Papers

arXiv

BlockScope: Detecting and Investigating Propagated Vulnerabilities in Forked Blockchain Projects↗2023-02-21

▶