CVE-2026-26315
published 2026-02-19CVE-2026-26315: go-ethereum (Geth) is a golang execution layer implementation of the Ethereum protocol. Prior to version 1.16.9, through a flaw in the ECIES cryptography…
PriorityP344high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
0.45%
35.7th percentile
go-ethereum (Geth) is a golang execution layer implementation of the Ethereum protocol. Prior to version 1.16.9, through a flaw in the ECIES cryptography implementation, an attacker may be able to extract bits of the p2p node key. The issue is resolved in the v1.16.9 and v1.17.0 releases of Geth. Geth maintainers recommend rotating the node key after applying the upgrade, which can be done by removing the file `/geth/nodekey` before starting Geth.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ethereum | go-ethereum | < 1.16.9 | 1.16.9 |
| ethereum | go_ethereum | < 1.16.9 | 1.16.9 |
| github.com | ethereum_go-ethereum | >= 0 < 1.16.9 | 1.16.9 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv4.06.9MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Go Ethereum Improperly Validates the ECIES Public Key in RLPx Handshake in github.com/ethereum/go-ethereum
osv·2026-02-24
CVE-2026-26315 Go Ethereum Improperly Validates the ECIES Public Key in RLPx Handshake in github.com/ethereum/go-ethereum
Go Ethereum Improperly Validates the ECIES Public Key in RLPx Handshake in github.com/ethereum/go-ethereum
Go Ethereum Improperly Validates the ECIES Public Key in RLPx Handshake in github.com/ethereum/go-ethereum
GHSA
Go Ethereum Improperly Validates the ECIES Public Key in RLPx Handshake
ghsa·2026-02-18
CVE-2026-26315 [MEDIUM] CWE-203 Go Ethereum Improperly Validates the ECIES Public Key in RLPx Handshake
Go Ethereum Improperly Validates the ECIES Public Key in RLPx Handshake
### Impact
Through a flaw in the ECIES cryptography implementation, an attacker may be able to extract bits of the p2p node key.
### Patches
The issue is resolved in the v1.16.9 and v1.17.0 releases of Geth. We recommend rotating the node key after applying the upgrade, which can be done by removing the file `/geth/nodekey` before starting Geth.
### Credit
The issue was reported as a public pull request to go-ethereum by @fengjian.
OSV
Go Ethereum Improperly Validates the ECIES Public Key in RLPx Handshake
osv·2026-02-18
CVE-2026-26315 [MEDIUM] Go Ethereum Improperly Validates the ECIES Public Key in RLPx Handshake
Go Ethereum Improperly Validates the ECIES Public Key in RLPx Handshake
### Impact
Through a flaw in the ECIES cryptography implementation, an attacker may be able to extract bits of the p2p node key.
### Patches
The issue is resolved in the v1.16.9 and v1.17.0 releases of Geth. We recommend rotating the node key after applying the upgrade, which can be done by removing the file `/geth/nodekey` before starting Geth.
### Credit
The issue was reported as a public pull request to go-ethereum by @fengjian.
No detection rules found.
No public exploits indexed.
Wiz
CVE-2026-26313 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2026-26313 [HIGH] CVE-2026-26313 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-26313 :
Ethereum Geth vulnerability analysis and mitigation
go-ethereum (geth) is a golang execution layer implementation of the Ethereum protocol. Prior to version 1.17.0, an attacker can cause high memory usage by sending a specially-crafted p2p message. The issue is resolved in the v1.17.0 release.
Source : NVD
## 6.9
Score
Published February 19, 2026
Severity MEDIUM
CNA Score 6.9
Affected Technologies
Ethereum Geth
Linux Alpine
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:ethereum:go_ethereum
github.com/ethereum/go-ethereum
Sources
Alpine 3.23, edge Severity HIGH Has Fix Added at:
Wiz
CVE-2026-26314 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2026-26314 [HIGH] CVE-2026-26314 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-26314 :
Ethereum Geth vulnerability analysis and mitigation
go-ethereum (geth) is a golang execution layer implementation of the Ethereum protocol. Prior to version 1.16.9, a vulnerable node can be forced to shutdown/crash using a specially crafted message. The problem is resolved in the v1.16.9 and v1.17.0 releases of Geth.
Source : NVD
## 8.7
Score
Published February 19, 2026
Severity HIGH
CNA Score 8.7
Affected Technologies
Ethereum Geth
Linux Alpine
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 20.7
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
geth
github.com/ethereum/go-ethereum
Sources
Alpine 3.23, edge Severity HIGH Has Fix Added at: M
Wiz
CVE-2026-22862 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2026-22862 [HIGH] CVE-2026-22862 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22862 :
Ethereum Geth vulnerability analysis and mitigation
go-ethereum (geth) is a golang execution layer implementation of the Ethereum protocol. A vulnerable node can be forced to shutdown/crash using a specially crafted message. This vulnerability is fixed in 1.16.8.
Source : NVD
## 7.1
Score
Published January 13, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
Ethereum Geth
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:ethereum:go_ethereum
github.com/ethereum/go-ethereum
Sources
GoLang Severity HIGH Has Fix Added at: Jan 14, 2026
Windows Severity HIGH Has Fix Added at: J
Wiz
CVE-2026-22868 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2026-22868 [HIGH] CVE-2026-22868 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22868 :
Ethereum Geth vulnerability analysis and mitigation
go-ethereum (geth) is a golang execution layer implementation of the Ethereum protocol. A vulnerable node can be forced to shutdown/crash using a specially crafted message. This vulnerability is fixed in 1.16.8.
Source : NVD
## 7.1
Score
Published January 13, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
Ethereum Geth
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:ethereum:go_ethereum
github.com/ethereum/go-ethereum
Sources
GoLang Severity HIGH Has Fix Added at: Jan 14, 2026
Windows Severity HIGH Has Fix Added at: Ja
Wiz
CVE-2026-26315 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2026-26315 [HIGH] CVE-2026-26315 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-26315 :
Ethereum Geth vulnerability analysis and mitigation
/geth/nodekey
Source : NVD
## 6.9
Score
Published February 19, 2026
Severity MEDIUM
CNA Score 6.9
Affected Technologies
Ethereum Geth
Linux Alpine
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 7.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:ethereum:go_ethereum
github.com/ethereum/go-ethereum
Sources
Alpine 3.23, edge Severity HIGH Has Fix Added at: Mar 02, 2026
GoLang Severity MEDIUM Has Fix Added at: Feb 19, 2026
Windows Severity HIGH Has Fix Added at: Feb 20, 2026
Windows Severity HIGH Has Fix Added at: Feb 24, 2026
## Get a CVE risk assessment
Get a prioritized
2026-02-19
Published