CVE-2022-23327
Description
A design flaw in Go-Ethereum 1.10.12 and older versions allows an attacker node to send 5120 future transactions with a high gas price in one message, which can purge all of pending transactions in a victim node's memory pool, causing a denial of service (DoS).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Go-Ethereum nodes before 1.10.13 are vulnerable to a DoS attack where an attacker can purge pending transactions by flooding 5120 high-gas-price future transactions.
Vulnerability
A design flaw in Go-Ethereum versions 1.10.12 and older allows an attacker to send a single message containing 5120 future-dated transactions with a high gas price. This causes the victim node to purge all pending transactions from its memory pool, resulting in a denial of service (DoS). The bug is present in the transaction pool handling code and requires no special configuration beyond a running node accepting network messages [1][2].
Exploitation
An attacker must be able to send messages to the victim node over the Ethereum peer-to-peer network. No authentication is required, as the victim node processes transactions from connected peers. The attacker crafts a single message containing 5120 transactions that are valid except for having a future nonce and a high gas price. When the victim node receives this message, it processes all 5120 transactions, which causes its transaction pool to evict all existing pending transactions [2].
Impact
A successful attack empties the victim node's mempool of all pending transactions. This prevents the node from including any pending transactions in new blocks, effectively causing a denial of service for transaction processing. The attacker does not gain any code execution or data access; the impact is limited to the temporary disruption of transaction handling until new transactions are received [2].
Mitigation
The vulnerability is fixed in Go-Ethereum version 1.10.13, released shortly after the disclosure. Users should upgrade to at least this version. No workarounds are documented. The CVE is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date [1][2].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/ethereum/go-ethereumGo | <= 1.10.12 | — |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/advisories/GHSA-pvx3-gm3c-gmprghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-23327ghsaADVISORY
- ethereum.commitrex_refsource_MISC
- go-ethereum.commitrex_refsource_MISC
- dl.acm.org/doi/pdf/10.1145/3460120.3485369ghsax_refsource_MISCWEB
- tristartom.github.io/docs/ccs21.pdfghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.