Ethereum Go-Ethereum vulnerabilities

CVE-2026-26314 [HIGH] CWE-20 CVE-2026-26314: go-ethereum (geth) is a golang execution layer implementation of the Ethereum protocol. Prior to ver go-ethereum (geth) is a golang execution layer implementation of the Ethereum protocol. Prior to version 1.16.9, a vulnerable node can be forced to shutdown/crash using a specially crafted message. The problem is resolved in the v1.16.9 and v1.17.0 releases of Geth.

CVE-2026-26313 [MEDIUM] CWE-770 CVE-2026-26313: go-ethereum (geth) is a golang execution layer implementation of the Ethereum protocol. Prior to ver go-ethereum (geth) is a golang execution layer implementation of the Ethereum protocol. Prior to version 1.17.0, an attacker can cause high memory usage by sending a specially-crafted p2p message. The issue is resolved in the v1.17.0 release.

CVE-2026-26315 [MEDIUM] CWE-203 CVE-2026-26315: go-ethereum (Geth) is a golang execution layer implementation of the Ethereum protocol. Prior to ver go-ethereum (Geth) is a golang execution layer implementation of the Ethereum protocol. Prior to version 1.16.9, through a flaw in the ECIES cryptography implementation, an attacker may be able to extract bits of the p2p node key. The issue is resolved in the v1.16.9 and v1.17.0 releases of Geth. Geth maintainers recommend rotating the node key afte

CVE-2026-22862 [HIGH] CWE-20 CVE-2026-22862: go-ethereum (geth) is a golang execution layer implementation of the Ethereum protocol. A vulnerable go-ethereum (geth) is a golang execution layer implementation of the Ethereum protocol. A vulnerable node can be forced to shutdown/crash using a specially crafted message. This vulnerability is fixed in 1.16.8.

CVE-2026-22868 [HIGH] CWE-20 CVE-2026-22868: go-ethereum (geth) is a golang execution layer implementation of the Ethereum protocol. A vulnerable go-ethereum (geth) is a golang execution layer implementation of the Ethereum protocol. A vulnerable node can be forced to shutdown/crash using a specially crafted message. This vulnerability is fixed in 1.16.8.

CVE-2025-24883 [HIGH] CWE-248 CVE-2025-24883: go-ethereum (geth) is a golang execution layer implementation of the Ethereum protocol. A vulnerable go-ethereum (geth) is a golang execution layer implementation of the Ethereum protocol. A vulnerable node can be forced to shutdown/crash using a specially crafted message. This vulnerability is fixed in 1.14.13.

CVE-2024-32972 [HIGH] CWE-400 CVE-2024-32972: go-ethereum (geth) is a golang execution layer implementation of the Ethereum protocol. Prior to 1.1 go-ethereum (geth) is a golang execution layer implementation of the Ethereum protocol. Prior to 1.13.15, a vulnerable node can be made to consume very large amounts of memory when handling specially crafted p2p messages sent from an attacker node. The fix has been included in geth version `1.13.15` and onwards.

CVE-2023-40591 [HIGH] CWE-400 CVE-2023-40591: go-ethereum (geth) is a golang execution layer implementation of the Ethereum protocol. A vulnerable go-ethereum (geth) is a golang execution layer implementation of the Ethereum protocol. A vulnerable node, can be made to consume unbounded amounts of memory when handling specially crafted p2p messages sent from an attacker node. The fix is included in geth version `1.12.1-stable`, i.e, `1.12.2-unstable` and onwards. Users are advised to upgrade. The

CVE-2022-29177 [MEDIUM] CWE-400 CVE-2022-29177: Go Ethereum is the official Golang implementation of the Ethereum protocol. Prior to version 1.10.17 Go Ethereum is the official Golang implementation of the Ethereum protocol. Prior to version 1.10.17, a vulnerable node, if configured to use high verbosity logging, can be made to crash when handling specially crafted p2p messages sent from an attacker node. Version 1.10.17 contains a patch that addresses the problem. As a workaround, setting logle

CVE-2021-41173 [MEDIUM] CWE-20 CVE-2021-41173: Go Ethereum is the official Golang implementation of the Ethereum protocol. Prior to version 1.10.9, Go Ethereum is the official Golang implementation of the Ethereum protocol. Prior to version 1.10.9, a vulnerable node is susceptible to crash when processing a maliciously crafted message from a peer. Version v1.10.9 contains patches to the vulnerability. There are no known workarounds aside from upgrading.

CVE-2021-39137 [HIGH] CWE-436 CVE-2021-39137: go-ethereum is the official Go implementation of the Ethereum protocol. In affected versions a conse go-ethereum is the official Go implementation of the Ethereum protocol. In affected versions a consensus-vulnerability in go-ethereum (Geth) could cause a chain split, where vulnerable versions refuse to accept the canonical chain. Further details about the vulnerability will be disclosed at a later date. A patch is included in the upcoming `v1.10.8`

CVE-2020-26264 [MEDIUM] CWE-400 CVE-2020-26264: Go Ethereum, or "Geth", is the official Golang implementation of the Ethereum protocol. In Geth befo Go Ethereum, or "Geth", is the official Golang implementation of the Ethereum protocol. In Geth before version 1.9.25 a denial-of-service vulnerability can make a LES server crash via malicious GetProofsV2 request from a connected LES client. This vulnerability only concerns users explicitly enabling les server; disabling les prevents the exploit. T

CVE-2020-26265 [MEDIUM] CWE-682 CVE-2020-26265: Go Ethereum, or "Geth", is the official Golang implementation of the Ethereum protocol. In Geth from Go Ethereum, or "Geth", is the official Golang implementation of the Ethereum protocol. In Geth from version 1.9.4 and before version 1.9.20 a consensus-vulnerability could cause a chain split, where vulnerable versions refuse to accept the canonical chain. The fix was included in the Paragade release version 1.9.20. No individual workaround patches

CVE-2020-26240 [HIGH] CWE-682 CVE-2020-26240: Go Ethereum, or "Geth", is the official Golang implementation of the Ethereum protocol. An ethash mi Go Ethereum, or "Geth", is the official Golang implementation of the Ethereum protocol. An ethash mining DAG generation flaw in Geth before version 1.9.24 could cause miners to erroneously calculate PoW in an upcoming epoch (estimated early January, 2021). This happened on the ETC chain on 2020-11-06. This issue is relevant only for miners, non-mining

CVE-2020-26242 [HIGH] CVE-2020-26242: Go Ethereum, or "Geth", is the official Golang implementation of the Ethereum protocol. In Geth befo Go Ethereum, or "Geth", is the official Golang implementation of the Ethereum protocol. In Geth before version 1.9.18, there is a Denial-of-service (crash) during block processing. This is fixed in 1.9.18.

CVE-2020-26241 [HIGH] CWE-682 CVE-2020-26241: Go Ethereum, or "Geth", is the official Golang implementation of the Ethereum protocol. This is a Co Go Ethereum, or "Geth", is the official Golang implementation of the Ethereum protocol. This is a Consensus vulnerability in Geth before version 1.9.17 which can be used to cause a chain-split where vulnerable nodes reject the canonical chain. Geth's pre-compiled dataCopy (at 0x00...04) contract did a shallow copy on invocation. An attacker could depl