High severityNVD Advisory· Published Feb 19, 2026· Updated Feb 20, 2026
Go Ethereum affected by DoS via malicious p2p message
CVE-2026-26314
Description
go-ethereum (geth) is a golang execution layer implementation of the Ethereum protocol. Prior to version 1.16.9, a vulnerable node can be forced to shutdown/crash using a specially crafted message. The problem is resolved in the v1.16.9 and v1.17.0 releases of Geth.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/ethereum/go-ethereumGo | < 1.16.9 | 1.16.9 |
Affected products
1- Range: < 1.16.9
Patches
1895a8597cb16crypto/secp256k1: fix coordinate check
3 files changed · +15 −2
crypto/secp256k1/curve.go+4 −0 modified@@ -73,6 +73,10 @@ func (bitCurve *BitCurve) Params() *elliptic.CurveParams { // IsOnCurve returns true if the given (x,y) lies on the BitCurve. func (bitCurve *BitCurve) IsOnCurve(x, y *big.Int) bool { + if x.Cmp(bitCurve.P) >= 0 || y.Cmp(bitCurve.P) >= 0 { + return false + } + // y² = x³ + b y2 := new(big.Int).Mul(y, y) //y² y2.Mod(y2, bitCurve.P) //y²%P
crypto/secp256k1/ext.h+4 −2 modified@@ -109,8 +109,10 @@ int secp256k1_ext_scalar_mul(const secp256k1_context* ctx, unsigned char *point, ARG_CHECK(scalar != NULL); (void)ctx; - secp256k1_fe_set_b32_limit(&feX, point); - secp256k1_fe_set_b32_limit(&feY, point+32); + if (!secp256k1_fe_set_b32_limit(&feX, point) || + !secp256k1_fe_set_b32_limit(&feY, point+32)) { + return 0; + } secp256k1_ge_set_xy(&ge, &feX, &feY); secp256k1_scalar_set_b32(&s, scalar, &overflow); if (overflow || secp256k1_scalar_is_zero(&s)) {
crypto/signature_nocgo.go+7 −0 modified@@ -164,6 +164,13 @@ type btCurve struct { *secp256k1.KoblitzCurve } +func (curve btCurve) IsOnCurve(x, y *big.Int) bool { + if x.Cmp(secp256k1.Params().P) >= 0 || y.Cmp(secp256k1.Params().P) >= 0 { + return false + } + return curve.KoblitzCurve.IsOnCurve(x, y) +} + // Marshal converts a point given as (x, y) into a byte slice. func (curve btCurve) Marshal(x, y *big.Int) []byte { byteLen := (curve.Params().BitSize + 7) / 8
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-2gjw-fg97-vg3rghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-26314ghsaADVISORY
- github.com/ethereum/go-ethereum/commit/895a8597cb16c02203e38707ed2d1da5c500fe60ghsax_refsource_MISCWEB
- github.com/ethereum/go-ethereum/releases/tag/v1.16.9ghsax_refsource_MISCWEB
- github.com/ethereum/go-ethereum/security/advisories/GHSA-2gjw-fg97-vg3rghsax_refsource_CONFIRMWEB
- pkg.go.dev/vuln/GO-2026-4507ghsaWEB
News mentions
0No linked articles in our index yet.