CVE-2024-32972 — Uncontrolled Resource Consumption in Go-ethereum

CWE-400 — Uncontrolled Resource Consumption5 documents4 sources

Severity

7.5HIGHNVD

EPSS

0.6%

top 30.77%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Ethereum Go-ethereum Github.com Ethereum Go-ethereum

Timeline

PublishedMay 6

Latest updateMay 8

Description

go-ethereum (geth) is a golang execution layer implementation of the Ethereum protocol. Prior to 1.13.15, a vulnerable node can be made to consume very large amounts of memory when handling specially crafted p2p messages sent from an attacker node. The fix has been included in geth version `1.13.15` and onwards.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶CVEListV5ethereum/go-ethereum< 1.13.15

▶Gogithub.com/ethereum_go-ethereum< 1.13.15

🔴Vulnerability Details

OSV

Denial of Service in github.com/ethereum/go-ethereum↗2024-05-08

▶

CVEList

go-ethereum denial of service via malicious p2p message↗2024-05-06

▶

GHSA

go-ethereum vulnerable to DoS via malicious p2p message↗2024-05-06

▶

OSV

go-ethereum vulnerable to DoS via malicious p2p message↗2024-05-06

▶