CVE-2020-26265
published 2020-12-11CVE-2020-26265: Go Ethereum, or "Geth", is the official Golang implementation of the Ethereum protocol. In Geth from version 1.9.4 and before version 1.9.20 a…
PriorityP427medium5.3CVSS 3.1
AVNACHPRLUINSUCNIHAN
EPSS
0.91%
55.5th percentile
Go Ethereum, or "Geth", is the official Golang implementation of the Ethereum protocol. In Geth from version 1.9.4 and before version 1.9.20 a consensus-vulnerability could cause a chain split, where vulnerable versions refuse to accept the canonical chain. The fix was included in the Paragade release version 1.9.20. No individual workaround patches have been made -- all users are recommended to upgrade to a newer version.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ethereum | go-ethereum | — | — |
| ethereum | go_ethereum | >= 1.9.4 < 1.9.20 | 1.9.20 |
| github.com | ethereum_go-ethereum | >= 1.9.4 < 1.9.20 | 1.9.20 |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N
nvdv2.03.5LOWAV:N/AC:M/Au:S/C:N/I:P/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Consensus flaw in github.com/ethereum/go-ethereum
osv·2021-07-28
CVE-2020-26265 Consensus flaw in github.com/ethereum/go-ethereum
Consensus flaw in github.com/ethereum/go-ethereum
Due to an incorrect state calculation, a specific set of transactions could cause a consensus disagreement, causing users of this package to reject a canonical chain.
GHSA
Consensus flaw during block processing in github.com/ethereum/go-ethereum
ghsa·2021-06-29
CVE-2020-26265 [MEDIUM] CWE-682 Consensus flaw during block processing in github.com/ethereum/go-ethereum
Consensus flaw during block processing in github.com/ethereum/go-ethereum
### Impact
A consensus-vulnerability in Geth could cause a chain split, where vulnerable versions refuse to accept the canonical chain.
### Description
A flaw was repoted at 2020-08-11 by John Youngseok Yang (Software Platform Lab), where a particular sequence of transactions could cause a consensus failure.
- Tx 1:
- `sender` invokes `caller`.
- `caller` invokes `0xaa`. `0xaa` has 3 wei, does a self-destruct-to-self
- `caller` does a `1 wei` -call to `0xaa`, who thereby has 1 wei (the code in `0xaa` still executed, since the tx is still ongoing, but doesn't redo the selfdestruct, it takes a different path if callvalue is non-zero)
- Tx 2:
- `sender` does a 5-wei call to 0xaa. No exec (since no code).
In geth
OSV
Consensus flaw during block processing in github.com/ethereum/go-ethereum
osv·2021-06-29
CVE-2020-26265 [MEDIUM] Consensus flaw during block processing in github.com/ethereum/go-ethereum
Consensus flaw during block processing in github.com/ethereum/go-ethereum
### Impact
A consensus-vulnerability in Geth could cause a chain split, where vulnerable versions refuse to accept the canonical chain.
### Description
A flaw was repoted at 2020-08-11 by John Youngseok Yang (Software Platform Lab), where a particular sequence of transactions could cause a consensus failure.
- Tx 1:
- `sender` invokes `caller`.
- `caller` invokes `0xaa`. `0xaa` has 3 wei, does a self-destruct-to-self
- `caller` does a `1 wei` -call to `0xaa`, who thereby has 1 wei (the code in `0xaa` still executed, since the tx is still ongoing, but doesn't redo the selfdestruct, it takes a different path if callvalue is non-zero)
- Tx 2:
- `sender` does a 5-wei call to 0xaa. No exec (since no code).
In geth
No detection rules found.
No public exploits indexed.
2020-12-11
Published