Go modules package

github.com/ethereum/go-ethereum

pkg:golang/github.com/ethereum/go-ethereum

Vulnerabilities (25)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2026-26315		—	< 1.16.9	1.16.9	Feb 19, 2026	go-ethereum (Geth) is a golang execution layer implementation of the Ethereum protocol. Prior to version 1.16.9, through a flaw in the ECIES cryptography implementation, an attacker may be able to extract bits of the p2p node key. The issue is resolved in the v1.16.9 and v1.17.0
CVE-2026-26314		—	< 1.16.9	1.16.9	Feb 19, 2026	go-ethereum (geth) is a golang execution layer implementation of the Ethereum protocol. Prior to version 1.16.9, a vulnerable node can be forced to shutdown/crash using a specially crafted message. The problem is resolved in the v1.16.9 and v1.17.0 releases of Geth.
CVE-2026-26313		—	< 1.17.0	1.17.0	Feb 19, 2026	go-ethereum (geth) is a golang execution layer implementation of the Ethereum protocol. Prior to version 1.17.0, an attacker can cause high memory usage by sending a specially-crafted p2p message. The issue is resolved in the v1.17.0 release.
CVE-2026-22868		—	< 1.16.8	1.16.8	Jan 13, 2026	go-ethereum (geth) is a golang execution layer implementation of the Ethereum protocol. A vulnerable node can be forced to shutdown/crash using a specially crafted message. This vulnerability is fixed in 1.16.8.
CVE-2026-22862		—	< 1.16.8	1.16.8	Jan 13, 2026	go-ethereum (geth) is a golang execution layer implementation of the Ethereum protocol. A vulnerable node can be forced to shutdown/crash using a specially crafted message. This vulnerability is fixed in 1.16.8.
CVE-2025-24883	Hig	—	>= 1.14.0, < 1.14.13	1.14.13	Jan 30, 2025	go-ethereum (geth) is a golang execution layer implementation of the Ethereum protocol. A vulnerable node can be forced to shutdown/crash using a specially crafted message. This vulnerability is fixed in 1.14.13.
CVE-2024-32972	Hig	7.5	< 1.13.15	1.13.15	May 6, 2024	go-ethereum (geth) is a golang execution layer implementation of the Ethereum protocol. Prior to 1.13.15, a vulnerable node can be made to consume very large amounts of memory when handling specially crafted p2p messages sent from an attacker node. The fix has been included in ge
CVE-2023-42319		—	<= 1.13.4	—	Oct 18, 2023	Geth (aka go-ethereum) through 1.13.4, when --http --graphql is used, allows remote attackers to cause a denial of service (memory consumption and daemon hang) via a crafted GraphQL query. NOTE: the vendor's position is that the "graphql endpoint [is not] designed to withstand at
CVE-2023-40591		—	< 1.12.1-stable	1.12.1-stable	Sep 6, 2023	go-ethereum (geth) is a golang execution layer implementation of the Ethereum protocol. A vulnerable node, can be made to consume unbounded amounts of memory when handling specially crafted p2p messages sent from an attacker node. The fix is included in geth version `1.12.1-stabl
CVE-2022-37450		—	<= 1.10.21	—	Aug 5, 2022	Go Ethereum (aka geth) through 1.10.21 allows attackers to increase rewards by mining blocks in certain situations, and using a manipulation of time-difference values to achieve replacement of main-chain blocks, aka Riskless Uncle Making (RUM), as exploited in the wild in 2020 th
CVE-2022-29177		—	< 1.10.17	1.10.17	May 20, 2022	Go Ethereum is the official Golang implementation of the Ethereum protocol. Prior to version 1.10.17, a vulnerable node, if configured to use high verbosity logging, can be made to crash when handling specially crafted p2p messages sent from an attacker node. Version 1.10.17 cont
CVE-2021-42219		—	<= 1.10.9	—	Mar 16, 2022	Go-Ethereum v1.10.9 was discovered to contain an issue which allows attackers to cause a denial of service (DoS) via sending an excessive amount of messages to a node. This is caused by missing memory in the component /ethash/algorithm.go.
CVE-2022-23328		—	<= 1.10.16	—	Mar 4, 2022	A design flaw in all versions of Go-Ethereum allows an attacker node to send 5120 pending transactions of a high gas price from one account that all fully spend the full balance of the account to a victim Geth node, which can purge all of pending transactions in a victim node's m
CVE-2022-23327		—	<= 1.10.12	—	Mar 4, 2022	A design flaw in Go-Ethereum 1.10.12 and older versions allows an attacker node to send 5120 future transactions with a high gas price in one message, which can purge all of pending transactions in a victim node's memory pool, causing a denial of service (DoS).
CVE-2021-43668		—	<= 1.10.9	—	Nov 18, 2021	Go-Ethereum 1.10.9 nodes crash (denial of service) after receiving a serial of messages and cannot be recovered. They will crash with "runtime error: invalid memory address or nil pointer dereference" and arise a SEGV signal.
CVE-2021-41173		—	< 1.10.9	1.10.9	Oct 26, 2021	Go Ethereum is the official Golang implementation of the Ethereum protocol. Prior to version 1.10.9, a vulnerable node is susceptible to crash when processing a maliciously crafted message from a peer. Version v1.10.9 contains patches to the vulnerability. There are no known work
CVE-2021-39137		—	>= 1.10.0, < 1.10.8	1.10.8	Aug 24, 2021	go-ethereum is the official Go implementation of the Ethereum protocol. In affected versions a consensus-vulnerability in go-ethereum (Geth) could cause a chain split, where vulnerable versions refuse to accept the canonical chain. Further details about the vulnerability will be
CVE-2020-26264		—	< 1.9.25	1.9.25	Dec 11, 2020	Go Ethereum, or "Geth", is the official Golang implementation of the Ethereum protocol. In Geth before version 1.9.25 a denial-of-service vulnerability can make a LES server crash via malicious GetProofsV2 request from a connected LES client. This vulnerability only concerns user
CVE-2020-26265		—	>= 1.9.4, < 1.9.20	1.9.20	Dec 11, 2020	Go Ethereum, or "Geth", is the official Golang implementation of the Ethereum protocol. In Geth from version 1.9.4 and before version 1.9.20 a consensus-vulnerability could cause a chain split, where vulnerable versions refuse to accept the canonical chain. The fix was included i
CVE-2020-26240		—	< 1.9.24	1.9.24	Nov 25, 2020	Go Ethereum, or "Geth", is the official Golang implementation of the Ethereum protocol. An ethash mining DAG generation flaw in Geth before version 1.9.24 could cause miners to erroneously calculate PoW in an upcoming epoch (estimated early January, 2021). This happened on the ET

CVE-2026-26315Feb 19, 2026
affected < 1.16.9fixed 1.16.9
go-ethereum (Geth) is a golang execution layer implementation of the Ethereum protocol. Prior to version 1.16.9, through a flaw in the ECIES cryptography implementation, an attacker may be able to extract bits of the p2p node key. The issue is resolved in the v1.16.9 and v1.17.0
CVE-2026-26314Feb 19, 2026
affected < 1.16.9fixed 1.16.9
go-ethereum (geth) is a golang execution layer implementation of the Ethereum protocol. Prior to version 1.16.9, a vulnerable node can be forced to shutdown/crash using a specially crafted message. The problem is resolved in the v1.16.9 and v1.17.0 releases of Geth.
CVE-2026-26313Feb 19, 2026
affected < 1.17.0fixed 1.17.0
go-ethereum (geth) is a golang execution layer implementation of the Ethereum protocol. Prior to version 1.17.0, an attacker can cause high memory usage by sending a specially-crafted p2p message. The issue is resolved in the v1.17.0 release.
CVE-2026-22868Jan 13, 2026
affected < 1.16.8fixed 1.16.8
go-ethereum (geth) is a golang execution layer implementation of the Ethereum protocol. A vulnerable node can be forced to shutdown/crash using a specially crafted message. This vulnerability is fixed in 1.16.8.
CVE-2026-22862Jan 13, 2026
affected < 1.16.8fixed 1.16.8
go-ethereum (geth) is a golang execution layer implementation of the Ethereum protocol. A vulnerable node can be forced to shutdown/crash using a specially crafted message. This vulnerability is fixed in 1.16.8.
CVE-2025-24883HigJan 30, 2025
affected >= 1.14.0, < 1.14.13fixed 1.14.13
go-ethereum (geth) is a golang execution layer implementation of the Ethereum protocol. A vulnerable node can be forced to shutdown/crash using a specially crafted message. This vulnerability is fixed in 1.14.13.
CVE-2024-32972HigMay 6, 2024
affected < 1.13.15fixed 1.13.15
go-ethereum (geth) is a golang execution layer implementation of the Ethereum protocol. Prior to 1.13.15, a vulnerable node can be made to consume very large amounts of memory when handling specially crafted p2p messages sent from an attacker node. The fix has been included in ge
CVE-2023-42319Oct 18, 2023
affected <= 1.13.4
Geth (aka go-ethereum) through 1.13.4, when --http --graphql is used, allows remote attackers to cause a denial of service (memory consumption and daemon hang) via a crafted GraphQL query. NOTE: the vendor's position is that the "graphql endpoint [is not] designed to withstand at
CVE-2023-40591Sep 6, 2023
affected < 1.12.1-stablefixed 1.12.1-stable
go-ethereum (geth) is a golang execution layer implementation of the Ethereum protocol. A vulnerable node, can be made to consume unbounded amounts of memory when handling specially crafted p2p messages sent from an attacker node. The fix is included in geth version `1.12.1-stabl
CVE-2022-37450Aug 5, 2022
affected <= 1.10.21
Go Ethereum (aka geth) through 1.10.21 allows attackers to increase rewards by mining blocks in certain situations, and using a manipulation of time-difference values to achieve replacement of main-chain blocks, aka Riskless Uncle Making (RUM), as exploited in the wild in 2020 th
CVE-2022-29177May 20, 2022
affected < 1.10.17fixed 1.10.17
Go Ethereum is the official Golang implementation of the Ethereum protocol. Prior to version 1.10.17, a vulnerable node, if configured to use high verbosity logging, can be made to crash when handling specially crafted p2p messages sent from an attacker node. Version 1.10.17 cont
CVE-2021-42219Mar 16, 2022
affected <= 1.10.9
Go-Ethereum v1.10.9 was discovered to contain an issue which allows attackers to cause a denial of service (DoS) via sending an excessive amount of messages to a node. This is caused by missing memory in the component /ethash/algorithm.go.
CVE-2022-23328Mar 4, 2022
affected <= 1.10.16
A design flaw in all versions of Go-Ethereum allows an attacker node to send 5120 pending transactions of a high gas price from one account that all fully spend the full balance of the account to a victim Geth node, which can purge all of pending transactions in a victim node's m
CVE-2022-23327Mar 4, 2022
affected <= 1.10.12
A design flaw in Go-Ethereum 1.10.12 and older versions allows an attacker node to send 5120 future transactions with a high gas price in one message, which can purge all of pending transactions in a victim node's memory pool, causing a denial of service (DoS).
CVE-2021-43668Nov 18, 2021
affected <= 1.10.9
Go-Ethereum 1.10.9 nodes crash (denial of service) after receiving a serial of messages and cannot be recovered. They will crash with "runtime error: invalid memory address or nil pointer dereference" and arise a SEGV signal.
CVE-2021-41173Oct 26, 2021
affected < 1.10.9fixed 1.10.9
Go Ethereum is the official Golang implementation of the Ethereum protocol. Prior to version 1.10.9, a vulnerable node is susceptible to crash when processing a maliciously crafted message from a peer. Version v1.10.9 contains patches to the vulnerability. There are no known work
CVE-2021-39137Aug 24, 2021
affected >= 1.10.0, < 1.10.8fixed 1.10.8
go-ethereum is the official Go implementation of the Ethereum protocol. In affected versions a consensus-vulnerability in go-ethereum (Geth) could cause a chain split, where vulnerable versions refuse to accept the canonical chain. Further details about the vulnerability will be
CVE-2020-26264Dec 11, 2020
affected < 1.9.25fixed 1.9.25
Go Ethereum, or "Geth", is the official Golang implementation of the Ethereum protocol. In Geth before version 1.9.25 a denial-of-service vulnerability can make a LES server crash via malicious GetProofsV2 request from a connected LES client. This vulnerability only concerns user
CVE-2020-26265Dec 11, 2020
affected >= 1.9.4, < 1.9.20fixed 1.9.20
Go Ethereum, or "Geth", is the official Golang implementation of the Ethereum protocol. In Geth from version 1.9.4 and before version 1.9.20 a consensus-vulnerability could cause a chain split, where vulnerable versions refuse to accept the canonical chain. The fix was included i
CVE-2020-26240Nov 25, 2020
affected < 1.9.24fixed 1.9.24
Go Ethereum, or "Geth", is the official Golang implementation of the Ethereum protocol. An ethash mining DAG generation flaw in Geth before version 1.9.24 could cause miners to erroneously calculate PoW in an upcoming epoch (estimated early January, 2021). This happened on the ET

Page 1 of 2