cbcvebase.

Github.Com Ethereum Go-Ethereum vulnerabilities

26 known vulnerabilities affecting github.com/ethereum_go-ethereum.

Total CVEs
26
CISA KEV
0
Public exploits
0
Exploited in wild
1
Severity breakdown
HIGH13MEDIUM13

Vulnerabilities

Page 1 of 2
CVE-2022-37450P2MEDIUMExploited≥ 0, ≤ 1.10.212022-08-06
CVE-2022-37450 [MEDIUM] Go Ethereum allows attackers to use manipulation of time-difference values to achieve replacement of main-chain blocks Go Ethereum allows attackers to use manipulation of time-difference values to achieve replacement of main-chain blocks Go Ethereum (aka geth) through 1.10.21 allows attackers to increase rewards by mining blocks in certain situations, and using a manipulation of time-difference values to achieve replacement of main-chain blocks, aka Riskless Uncle Making
ghsaosv
CVE-2025-24883P3MEDIUM≥ 1.14.0, < 1.14.132025-01-30
CVE-2025-24883 [MEDIUM] CWE-20 Go Ethereum vulnerable to DoS via malicious p2p message Go Ethereum vulnerable to DoS via malicious p2p message ### Impact A vulnerable node can be forced to shutdown/crash using a specially crafted message. During the peer-to-peer connection handshake, a shared secret key is computed. The implementation did not verify whether the EC public key provided by the remote party is a valid point on the secp256k1 curve. By simply sending an all-zero public key, a crash
ghsaosv
CVE-2026-26315P3MEDIUM≥ 0, < 1.16.92026-02-18
CVE-2026-26315 [MEDIUM] CWE-203 Go Ethereum Improperly Validates the ECIES Public Key in RLPx Handshake Go Ethereum Improperly Validates the ECIES Public Key in RLPx Handshake ### Impact Through a flaw in the ECIES cryptography implementation, an attacker may be able to extract bits of the p2p node key. ### Patches The issue is resolved in the v1.16.9 and v1.17.0 releases of Geth. We recommend rotating the node key after applying the upgrade, which can be done by removing the file `/geth/nod
ghsaosv
CVE-2020-28362P3HIGHCVSS 7.5≥ 0, < 1.9.242021-06-29
CVE-2020-28362 [HIGH] Denial of service in go-ethereum due to CVE-2020-28362 Denial of service in go-ethereum due to CVE-2020-28362 ### Impact Versions of Geth built with Go `<1.15.5` or `<1.14.12` are most likely affected by a critical DoS-related security vulnerability. The golang team has registered the underlying flaw as ‘CVE-2020-28362’. We recommend all users to rebuild (ideally `v1.9.24`) with Go `1.15.5` or `1.14.12`, to avoid node crashes. Alternatively, if you are running binaries di
ghsaosv
CVE-2026-22862P3HIGH≥ 0, < 1.16.82026-01-13
CVE-2026-22862 [HIGH] CWE-20 go-ethereum is vulnerable to DoS via malicious p2p message affecting a vulnerable node go-ethereum is vulnerable to DoS via malicious p2p message affecting a vulnerable node **Impact** A vulnerable node can be forced to shutdown/crash using a specially crafted message. More details to be released later. **Credit** This issue was reported to the Ethereum Foundation Bug Bounty Program by DELENE TCHIO ROMUALD.
ghsaosv
CVE-2026-22868P3HIGH≥ 0, < 1.16.82026-01-13
CVE-2026-22868 [HIGH] CWE-20 go-ethereum is vulnerable to high CPU usage leading to DoS via malicious p2p message go-ethereum is vulnerable to high CPU usage leading to DoS via malicious p2p message **Impact** An attacker can cause high CPU usage by sending a specially crafted p2p message. More details to be released later. **Credit** This issue was reported to the Ethereum Foundation Bug Bounty Program by @Yenya030
ghsaosv
CVE-2026-26314P3HIGH≥ 0, < 1.16.92026-02-18
CVE-2026-26314 [HIGH] CWE-20 Go Ethereum affected by DoS via malicious p2p message Go Ethereum affected by DoS via malicious p2p message ### Impact A vulnerable node can be forced to shutdown/crash using a specially crafted message. More details to be released later. ### Patches The problem is resolved in the v1.16.9 and v1.17.0 releases of Geth. ### Credit This issue was reported to the Ethereum Foundation Bug Bounty Program by Waleed Ahmed from vulsight.com
ghsaosv
CVE-2021-39137P3MEDIUM≥ 1.10.0, < 1.10.82021-08-30
CVE-2021-39137 [MEDIUM] CWE-436 Ethereum Contains Consensus Flaw During Block Processing Ethereum Contains Consensus Flaw During Block Processing ### Impact A vulnerability in the Geth EVM could cause a node to reject the canonical chain. ### Description A memory-corruption bug within the EVM can cause a consensus error, where vulnerable nodes obtain a different `stateRoot` when processing a maliciously crafted transaction. This, in turn, would lead to the chain being split in two forks. Al
ghsaosv
CVE-2023-40591P3HIGH≥ 0, < 1.12.1-stable2023-09-06
CVE-2023-40591 [HIGH] CWE-400 Go-Ethereum vulnerable to denial of service via malicious p2p message Go-Ethereum vulnerable to denial of service via malicious p2p message ### Impact A vulnerable node, can be made to consume unbounded amounts of memory when handling specially crafted p2p messages sent from an attacker node. ### Details The p2p handler spawned a new goroutine to respond to `ping` requests. By flooding a node with ping requests, an unbounded number of goroutines can be created,
ghsaosv
CVE-2024-32972P3HIGH≥ 0, < 1.13.152024-05-06
CVE-2024-32972 [HIGH] CWE-400 go-ethereum vulnerable to DoS via malicious p2p message go-ethereum vulnerable to DoS via malicious p2p message ### Impact A vulnerable node can be made to consume very large amounts of memory when handling specially crafted p2p messages sent from an attacker node. In order to carry out the attack, the attacker establishes a peer connections to the victim, and sends a malicious `GetBlockHeadersRequest` message with a `count` of `0`, using the `ETH` protocol. In
ghsaosv
CVE-2026-26313P3MEDIUM≥ 0, < 1.17.02026-02-18
CVE-2026-26313 [MEDIUM] CWE-770 Go Ethereum affected by DoS via malicious p2p message Go Ethereum affected by DoS via malicious p2p message ### Impact An attacker can cause high memory usage by sending a specially-crafted p2p message. More details to be released later. ### Patches The issue is resolved in the v1.17.0 release. ### Credit This issue was reported to the Ethereum Foundation Bug Bounty Program by @revofusion
ghsaosv
CVE-2022-23328P3HIGH≥ 0, ≤ 1.10.162022-03-05
CVE-2022-23328 [HIGH] CWE-400 Denial of Service in Go-Ethereum Denial of Service in Go-Ethereum A design flaw in all versions of Go-Ethereum allows an attacker node to send 5120 pending transactions of a high gas price from one account that all fully spend the full balance of the account to a victim Geth node, which can purge all of pending transactions in a victim node's memory pool and then occupy the memory pool to prevent new transactions from entering the pool, resulting in a denial of ser
ghsaosv
CVE-2022-23327P3HIGH≥ 0, ≤ 1.10.122022-03-05
CVE-2022-23327 [HIGH] CWE-400 Denial of Service in Go-Ethereum Denial of Service in Go-Ethereum A design flaw in Go-Ethereum 1.10.12 and older versions allows an attacker node to send 5120 future transactions with a high gas price in one message, which can purge all of pending transactions in a victim node's memory pool, causing a denial of service (DoS).
ghsaosv
CVE-2020-26240P3MEDIUM≥ 0, < 1.9.242021-06-29
CVE-2020-26240 [MEDIUM] CWE-682 Erroneous Proof of Work calculation in geth Erroneous Proof of Work calculation in geth ### Impact An ethash mining DAG generation flaw in Geth could cause miners to erroneously calculate PoW in an upcoming epoch (estimated early January, 2021). This happened on the ETC chain on 2020-11-06. This issue is relevant only for miners, non-mining nodes are unaffected. ### Patches This issue is also fixed as of 1.9.24. Thanks to @slavikus for bringing the issue to our
ghsaosv
CVE-2018-12018P3HIGH≥ 0, < 1.8.112022-05-14
CVE-2018-12018 [HIGH] CWE-129 Go Ethereum LES protocol implementation vulnerable to Denial of Service Go Ethereum LES protocol implementation vulnerable to Denial of Service The GetBlockHeadersMsg handler in the LES protocol implementation in Go Ethereum (aka geth) before 1.8.11 may lead to an access violation because of an integer signedness error for the array index, which allows attackers to launch a Denial of Service attack by sending a packet with a -1 query.Skip value. The vulnerable remo
ghsaosv
CVE-2020-26241P3MEDIUM≥ 1.9.7, < 1.9.172021-06-29
CVE-2020-26241 [MEDIUM] CWE-682 Shallow copy bug in geth Shallow copy bug in geth ### Impact This is a Consensus vulnerability, which can be used to cause a chain-split where vulnerable nodes reject the canonical chain. Geth’s pre-compiled `dataCopy` (at `0x00...04`) contract did a shallow copy on invocation. An attacker could deploy a contract that - writes `X` to an EVM memory region `R`, - calls `0x00..04` with `R` as an argument, - overwrites `R` to `Y`, - and finally invokes the `RETURND
ghsaosv
CVE-2023-42319P3HIGH≥ 0, ≤ 1.13.42023-10-18
CVE-2023-42319 [HIGH] CWE-400 go-ethereum vulnerable to denial of service via crafted GraphQL query go-ethereum vulnerable to denial of service via crafted GraphQL query Geth (aka go-ethereum) through 1.13.4, when `--http --graphql` is used, allows remote attackers to cause a denial of service (memory consumption and daemon hang) via a crafted GraphQL query. NOTE: the vendor's position is that the "graphql endpoint [is not] designed to withstand attacks by hostile clients, nor handle huge amou
ghsaosv
CVE-2020-26264P4MEDIUM≥ 0, < 1.9.252021-06-29
CVE-2020-26264 [MEDIUM] CWE-400 Denial of service in github.com/ethereum/go-ethereum Denial of service in github.com/ethereum/go-ethereum ### Impact A DoS vulnerability can make a LES server crash via malicious `GetProofsV2` request from a connected LES client. ### Patches The vulnerability was patched in https://github.com/ethereum/go-ethereum/pull/21896. ### Workarounds This vulnerability only concerns users explicitly enabling `les` server; disabling `les` prevents the exploit. It can a
ghsaosv
CVE-2021-42219P4HIGH≥ 0, ≤ 1.10.92022-03-18
CVE-2021-42219 [HIGH] CWE-400 Denial of service in go-ethereum Denial of service in go-ethereum Go-Ethereum v1.10.9 was discovered to contain an issue which allows attackers to cause a denial of service (DoS) via sending an excessive amount of messages to a node. This is caused by missing memory in the component /ethash/algorithm.go.
ghsaosv
CVE-2020-26242P4MEDIUM≥ 1.9.16, < 1.9.182021-06-29
CVE-2020-26242 [MEDIUM] CWE-125 Denial of service in geth Denial of service in geth ### Impact Denial-of-service (crash) during block processing ### Details Affected versions suffer from a vulnerability which can be exploited through the `MULMOD` operation, by specifying a modulo of `0`: `mulmod(a,b,0)`, causing a `panic` in the underlying library. The crash was in the `uint256` library, where a buffer [underflowed](https://github.com/holiman/uint256/blob/4ce82e695c10ddad57215bdbeafb68b8c5df2
ghsaosv
Github.Com Ethereum Go-Ethereum vulnerabilities | cvebase