CVE-2022-23328
Description
A design flaw in all versions of Go-Ethereum allows an attacker node to send 5120 pending transactions of a high gas price from one account that all fully spend the full balance of the account to a victim Geth node, which can purge all of pending transactions in a victim node's memory pool and then occupy the memory pool to prevent new transactions from entering the pool, resulting in a denial of service (DoS).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A design flaw in all Go-Ethereum versions allows a peer to send 5120 high-gas-price pending transactions that drain a victim Geth node's memory pool, causing a denial of service.
Vulnerability
A design flaw exists in all versions of Go-Ethereum (the Go-based execution layer for Ethereum), specifically in the pending transaction handling logic. An attacker-controlled Ethereum node can send 5120 pending transactions from a single account, each with a high gas price and set to fully spend the entire balance of that account. These transactions are relayed to a victim Geth (Go-Ethereum client) node, which processes them as valid pending transactions. The victim node's transaction pool (memory pool) accepts these transactions, purging all existing pending transactions once the pool is full, and then prevents new legitimate pending transactions from entering the pool. The affected product is Go-Ethereum (geth); all versions are impacted [1][2][3].
Exploitation
The attacker must be a peer on the Ethereum network connected to the victim Geth node. No authentication or write access is needed beyond the ability to send normal Ethereum transactions. The attacker crafts 5120 transactions from one account, each with a high gas price and each spending the full account balance. These are broadcast to the network and reach the victim's memory pool. The victim node processes them, filling its pending transaction pool capacity. Because each transaction fully spends the balance, subsequent transactions from that account become invalid, but the pool is already full. The attacker does not need user interaction or a race condition; the attack is a straightforward flooding of the memory pool [1][3].
Impact
Successful exploitation results in a denial of service (DoS) for the victim Geth node. All existing pending transactions (from other users) are purged from the memory pool, and new pending transactions are rejected as long as the pool remains occupied by the attacker's transactions. This prevents the victim node from processing any new transactions, disrupting its participation in the Ethereum network and potentially causing financial or operational loss for users relying on that node [1][3].
Mitigation
As of the publication date (2022-03-04), no patched version of Go-Ethereum has been disclosed. The vulnerability affects all versions, and no specific workaround is provided in the references. Administrators should monitor the Go-Ethereum project for a security update and consider applying any future fix. The CVE is not listed in the known exploited vulnerabilities catalog (KEV) [1][2][3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/ethereum/go-ethereumGo | <= 1.10.16 | — |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/advisories/GHSA-vmf7-hmh6-vv57ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-23328ghsaADVISORY
- ethereum.comghsax_refsource_MISCWEB
- go-ethereum.comghsax_refsource_MISCWEB
- dl.acm.org/doi/pdf/10.1145/3460120.3485369ghsax_refsource_MISCWEB
- tristartom.github.io/docs/ccs21.pdfghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.