Github.Com Ethereum Go-Ethereum vulnerabilities

CVE-2026-26314 [HIGH] CWE-20 Go Ethereum affected by DoS via malicious p2p message Go Ethereum affected by DoS via malicious p2p message ### Impact A vulnerable node can be forced to shutdown/crash using a specially crafted message. More details to be released later. ### Patches The problem is resolved in the v1.16.9 and v1.17.0 releases of Geth. ### Credit This issue was reported to the Ethereum Foundation Bug Bounty Program by Waleed Ahmed from vulsight.com

CVE-2026-26313 [MEDIUM] CWE-770 Go Ethereum affected by DoS via malicious p2p message Go Ethereum affected by DoS via malicious p2p message ### Impact An attacker can cause high memory usage by sending a specially-crafted p2p message. More details to be released later. ### Patches The issue is resolved in the v1.17.0 release. ### Credit This issue was reported to the Ethereum Foundation Bug Bounty Program by @revofusion

CVE-2026-26315 [MEDIUM] CWE-203 Go Ethereum Improperly Validates the ECIES Public Key in RLPx Handshake Go Ethereum Improperly Validates the ECIES Public Key in RLPx Handshake ### Impact Through a flaw in the ECIES cryptography implementation, an attacker may be able to extract bits of the p2p node key. ### Patches The issue is resolved in the v1.16.9 and v1.17.0 releases of Geth. We recommend rotating the node key after applying the upgrade, which can be done by removing the file `/geth/nod

CVE-2026-22868 [HIGH] CWE-20 go-ethereum is vulnerable to high CPU usage leading to DoS via malicious p2p message go-ethereum is vulnerable to high CPU usage leading to DoS via malicious p2p message **Impact** An attacker can cause high CPU usage by sending a specially crafted p2p message. More details to be released later. **Credit** This issue was reported to the Ethereum Foundation Bug Bounty Program by @Yenya030

CVE-2026-22862 [HIGH] CWE-20 go-ethereum is vulnerable to DoS via malicious p2p message affecting a vulnerable node go-ethereum is vulnerable to DoS via malicious p2p message affecting a vulnerable node **Impact** A vulnerable node can be forced to shutdown/crash using a specially crafted message. More details to be released later. **Credit** This issue was reported to the Ethereum Foundation Bug Bounty Program by DELENE TCHIO ROMUALD.

CVE-2025-24883 [MEDIUM] CWE-20 Go Ethereum vulnerable to DoS via malicious p2p message Go Ethereum vulnerable to DoS via malicious p2p message ### Impact A vulnerable node can be forced to shutdown/crash using a specially crafted message. During the peer-to-peer connection handshake, a shared secret key is computed. The implementation did not verify whether the EC public key provided by the remote party is a valid point on the secp256k1 curve. By simply sending an all-zero public key, a crash

CVE-2024-32972 [HIGH] CWE-400 go-ethereum vulnerable to DoS via malicious p2p message go-ethereum vulnerable to DoS via malicious p2p message ### Impact A vulnerable node can be made to consume very large amounts of memory when handling specially crafted p2p messages sent from an attacker node. In order to carry out the attack, the attacker establishes a peer connections to the victim, and sends a malicious `GetBlockHeadersRequest` message with a `count` of `0`, using the `ETH` protocol. In

CVE-2023-42319 [HIGH] CWE-400 go-ethereum vulnerable to denial of service via crafted GraphQL query go-ethereum vulnerable to denial of service via crafted GraphQL query Geth (aka go-ethereum) through 1.13.4, when `--http --graphql` is used, allows remote attackers to cause a denial of service (memory consumption and daemon hang) via a crafted GraphQL query. NOTE: the vendor's position is that the "graphql endpoint [is not] designed to withstand attacks by hostile clients, nor handle huge amou

CVE-2023-40591 [HIGH] CWE-400 Go-Ethereum vulnerable to denial of service via malicious p2p message Go-Ethereum vulnerable to denial of service via malicious p2p message ### Impact A vulnerable node, can be made to consume unbounded amounts of memory when handling specially crafted p2p messages sent from an attacker node. ### Details The p2p handler spawned a new goroutine to respond to `ping` requests. By flooding a node with ping requests, an unbounded number of goroutines can be created,

CVE-2022-37450 [MEDIUM] Go Ethereum allows attackers to use manipulation of time-difference values to achieve replacement of main-chain blocks Go Ethereum allows attackers to use manipulation of time-difference values to achieve replacement of main-chain blocks Go Ethereum (aka geth) through 1.10.21 allows attackers to increase rewards by mining blocks in certain situations, and using a manipulation of time-difference values to achieve replacement of main-chain blocks, aka Riskless Uncle Making

CVE-2022-29177 [MEDIUM] CWE-400 DoS via malicious p2p message in Go Ethereum DoS via malicious p2p message in Go Ethereum ### Impact A vulnerable node, if configured to use high verbosity logging, can be made to crash when handling specially crafted p2p messages sent from an attacker node. ### Patches The following PR addresses the problem: https://github.com/ethereum/go-ethereum/pull/24507 ### Workarounds Aside from applying the PR linked above, setting loglevel to default level (`INFO`)

CVE-2018-12018 [HIGH] CWE-129 Go Ethereum LES protocol implementation vulnerable to Denial of Service Go Ethereum LES protocol implementation vulnerable to Denial of Service The GetBlockHeadersMsg handler in the LES protocol implementation in Go Ethereum (aka geth) before 1.8.11 may lead to an access violation because of an integer signedness error for the array index, which allows attackers to launch a Denial of Service attack by sending a packet with a -1 query.Skip value. The vulnerable remo

CVE-2021-42219 [HIGH] CWE-400 Denial of service in go-ethereum Denial of service in go-ethereum Go-Ethereum v1.10.9 was discovered to contain an issue which allows attackers to cause a denial of service (DoS) via sending an excessive amount of messages to a node. This is caused by missing memory in the component /ethash/algorithm.go.

CVE-2022-23327 [HIGH] CWE-400 Denial of Service in Go-Ethereum Denial of Service in Go-Ethereum A design flaw in Go-Ethereum 1.10.12 and older versions allows an attacker node to send 5120 future transactions with a high gas price in one message, which can purge all of pending transactions in a victim node's memory pool, causing a denial of service (DoS).

CVE-2022-23328 [HIGH] CWE-400 Denial of Service in Go-Ethereum Denial of Service in Go-Ethereum A design flaw in all versions of Go-Ethereum allows an attacker node to send 5120 pending transactions of a high gas price from one account that all fully spend the full balance of the account to a victim Geth node, which can purge all of pending transactions in a victim node's memory pool and then occupy the memory pool to prevent new transactions from entering the pool, resulting in a denial of ser

CVE-2021-43668 [MEDIUM] CWE-476 Denial of Service in Go-Ethereum Denial of Service in Go-Ethereum Go-Ethereum 1.10.9 nodes crash (denial of service) after receiving a serial of messages and cannot be recovered. They will crash with "runtime error: invalid memory address or nil pointer dereference" and arise a SEGV signal.

CVE-2021-41173 [MEDIUM] CWE-20 Geth Node Vulnerable to DoS via maliciously crafted p2p message Geth Node Vulnerable to DoS via maliciously crafted p2p message ### Impact A vulnerable node is susceptible to crash when processing a maliciously crafted message from a peer, via the `snap/1` protocol. The crash can be triggered by sending a malicious `snap/1` `GetTrieNodes` package. ### Details On September 21, 2021, geth-team member Gary Rong (@rjl493456442) found a way to crash the snap request

CVE-2021-39137 [MEDIUM] CWE-436 Ethereum Contains Consensus Flaw During Block Processing Ethereum Contains Consensus Flaw During Block Processing ### Impact A vulnerability in the Geth EVM could cause a node to reject the canonical chain. ### Description A memory-corruption bug within the EVM can cause a consensus error, where vulnerable nodes obtain a different `stateRoot` when processing a maliciously crafted transaction. This, in turn, would lead to the chain being split in two forks. Al

CVE-2018-19184 [HIGH] CWE-476 Go Ethereum Denial of Service Go Ethereum Denial of Service `cmd/evm/runner.go` in Go Ethereum (aka geth) allows attackers to cause a denial of service (SEGV) via crafted bytecode. ### Specific Go Packages Affected github.com/ethereum/go-ethereum/cmd/evm

CVE-2020-28362 [HIGH] Denial of service in go-ethereum due to CVE-2020-28362 Denial of service in go-ethereum due to CVE-2020-28362 ### Impact Versions of Geth built with Go `<1.15.5` or `<1.14.12` are most likely affected by a critical DoS-related security vulnerability. The golang team has registered the underlying flaw as ‘CVE-2020-28362’. We recommend all users to rebuild (ideally `v1.9.24`) with Go `1.15.5` or `1.14.12`, to avoid node crashes. Alternatively, if you are running binaries di