VYPR
← All advisories
Moderate severityNVD Advisory· Published Nov 18, 2021· Updated Aug 4, 2024

CVE-2021-43668

CVE-2021-43668

Description

Go-Ethereum 1.10.9 nodes crash (denial of service) after receiving a serial of messages and cannot be recovered. They will crash with "runtime error: invalid memory address or nil pointer dereference" and arise a SEGV signal.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Go-Ethereum 1.10.9 nodes crash due to nil pointer dereference in goleveldb when processing crafted messages, leading to unrecoverable denial of service.

Vulnerability

Go-Ethereum version 1.10.9 (and possibly earlier) contains a nil pointer dereference vulnerability in the underlying goleveldb library. When a node receives a series of specially crafted messages, it triggers a panic in table.(*Reader).newBlockIter due to a nil pointer, causing a segmentation fault and crash. The crash is unrecoverable, requiring manual restart. [1][2][3][4]

Exploitation

An attacker can send a sequence of malicious messages to a Go-Ethereum node over the network. No authentication is required; the node must be reachable and processing messages. The exact sequence triggers the nil pointer dereference in the leveldb table reader, leading to immediate crash. [3][4]

Impact

Successful exploitation results in a denial of service (DoS) as the node crashes and cannot recover automatically. The node must be manually restarted. No data corruption or remote code execution is reported. [2][3]

Mitigation

The vulnerability is fixed in Go-Ethereum versions after 1.10.9. Users should upgrade to the latest stable release. No workaround is available. The issue was reported in the goleveldb library and addressed in subsequent commits. [1][3][4]

References
  1. GitHub - ethereum/go-ethereum: Go implementation of the Ethereum protocol
  2. NVD - CVE-2021-43668
  3. Nodes crash down after receiving a serial of messages generated by fuzzer, and cannot be recovered
  4. Nil pointer in leveldb

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/ethereum/go-ethereumGo
<= 1.10.9

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

4

News mentions

0

No linked articles in our index yet.