{"ecosystem":"go","package":"github.com/ethereum/go-ethereum","version":null,"bugs":[{"id":5174,"ecosystem":"go","package_name":"github.com/ethereum/go-ethereum","affected_version":null,"fixed_version":null,"bug_id":"osv:GHSA-vrcc-g6vj-mh5w","title":"Denial of service in go-ethereum","description":"Go-Ethereum v1.10.9 was discovered to contain an issue which allows attackers to cause a denial of service (DoS) via sending an excessive amount of messages to a node. This is caused by missing memory in the component /ethash/algorithm.go.","severity":"high","status":"open","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-42219","labels":["CVE-2021-42219"],"created_at":"2026-04-26 03:01:54.493015+00:00","updated_at":"2026-04-26 03:01:54.493015+00:00"},{"id":5173,"ecosystem":"go","package_name":"github.com/ethereum/go-ethereum","affected_version":null,"fixed_version":null,"bug_id":"osv:GHSA-vmf7-hmh6-vv57","title":"Denial of Service in Go-Ethereum","description":"A design flaw in all versions of Go-Ethereum allows an attacker node to send 5120 pending transactions of a high gas price from one account that all fully spend the full balance of the account to a victim Geth node, which can purge all of pending transactions in a victim node's memory pool and then occupy the memory pool to prevent new transactions from entering the pool, resulting in a denial of service (DoS).","severity":"high","status":"open","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-23328","labels":["CVE-2022-23328"],"created_at":"2026-04-26 03:01:54.490349+00:00","updated_at":"2026-04-26 03:01:54.490349+00:00"},{"id":5172,"ecosystem":"go","package_name":"github.com/ethereum/go-ethereum","affected_version":null,"fixed_version":null,"bug_id":"osv:GHSA-v9jh-j8px-98vq","title":"go-ethereum vulnerable to denial of service via crafted GraphQL query","description":"Geth (aka go-ethereum) through 1.13.4, when `--http --graphql` is used, allows remote attackers to cause a denial of service (memory consumption and daemon hang) via a crafted GraphQL query.\n\nNOTE: the vendor's position is that the \"graphql endpoint [is not] designed to withstand attacks by hostile clients, nor handle huge amounts of clients/traffic.","severity":"high","status":"open","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-42319","labels":["CVE-2023-42319"],"created_at":"2026-04-26 03:01:54.487678+00:00","updated_at":"2026-04-26 03:01:54.487678+00:00"},{"id":5168,"ecosystem":"go","package_name":"github.com/ethereum/go-ethereum","affected_version":null,"fixed_version":"1.8.14","bug_id":"osv:GHSA-qr2j-wrhx-4829","title":"Go Ethereum Improper Input Validation","description":"In Go Ethereum (aka geth) before 1.8.14, TraceChain in eth/api_tracer.go does not verify that the end block is after the start block.\n\n### Specific Go Packages Affected\ngithub.com/ethereum/go-ethereum/eth","severity":"high","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2018-16733","labels":["CVE-2018-16733","GO-2022-0871"],"created_at":"2026-04-26 03:01:54.476878+00:00","updated_at":"2026-04-26 03:01:54.476878+00:00"},{"id":5166,"ecosystem":"go","package_name":"github.com/ethereum/go-ethereum","affected_version":null,"fixed_version":null,"bug_id":"osv:GHSA-pvx3-gm3c-gmpr","title":"Denial of Service in Go-Ethereum","description":"A design flaw in Go-Ethereum 1.10.12 and older versions allows an attacker node to send 5120 future transactions with a high gas price in one message, which can purge all of pending transactions in a victim node's memory pool, causing a denial of service (DoS).","severity":"high","status":"open","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-23327","labels":["CVE-2022-23327"],"created_at":"2026-04-26 03:01:54.471583+00:00","updated_at":"2026-04-26 03:01:54.471583+00:00"},{"id":5165,"ecosystem":"go","package_name":"github.com/ethereum/go-ethereum","affected_version":null,"fixed_version":"1.12.1-stable","bug_id":"osv:GHSA-ppjg-v974-84cm","title":"Go-Ethereum vulnerable to denial of service via malicious p2p message","description":"### Impact\n\nA vulnerable node, can be made to consume unbounded amounts of memory when handling specially crafted p2p messages sent from an attacker node.\n\n### Details\n\nThe p2p handler spawned a new goroutine to respond to `ping` requests. By flooding a node with ping requests, an unbounded number of goroutines can be created, leading to resource exhaustion and potentially crash due to OOM.\n\n### Patches\n\nThe fix is included in geth version `1.12.1-stable`, i.e, `1.12.2-unstable` and onwards. \n\nFixed by https://github.com/ethereum/go-ethereum/pull/27887\n\n### Workarounds\n\nNo known workarounds. \n\n### Credits\n\nThis bug was reported by Patrick McHardy and reported via [bounty@ethereum.org](mailto:bounty@ethereum.org). \n\n### References\n\n","severity":"high","status":"fixed","source":"osv","source_url":"https://github.com/ethereum/go-ethereum/security/advisories/GHSA-ppjg-v974-84cm","labels":["CVE-2023-40591","GO-2023-2046"],"created_at":"2026-04-26 03:01:54.468914+00:00","updated_at":"2026-04-26 03:01:54.468914+00:00"},{"id":5164,"ecosystem":"go","package_name":"github.com/ethereum/go-ethereum","affected_version":null,"fixed_version":"1.8.11","bug_id":"osv:GHSA-p5gc-957x-gfw9","title":"Go Ethereum LES protocol implementation vulnerable to Denial of Service","description":"The GetBlockHeadersMsg handler in the LES protocol implementation in Go Ethereum (aka geth) before 1.8.11 may lead to an access violation because of an integer signedness error for the array index, which allows attackers to launch a Denial of Service attack by sending a packet with a -1 query.Skip value. The vulnerable remote node would be crashed by such an attack immediately, aka the EPoD (Ethereum Packet of Death) issue.\n\n### Specific Go Packages Affected\ngithub.com/ethereum/go-ethereum/les","severity":"high","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2018-12018","labels":["CVE-2018-12018","GO-2021-0075"],"created_at":"2026-04-26 03:01:54.466253+00:00","updated_at":"2026-04-26 03:01:54.466253+00:00"},{"id":5163,"ecosystem":"go","package_name":"github.com/ethereum/go-ethereum","affected_version":null,"fixed_version":"1.16.8","bug_id":"osv:GHSA-mr7q-c9w9-wh4h","title":"go-ethereum is vulnerable to DoS via malicious p2p message affecting a vulnerable node","description":"**Impact**\n\nA vulnerable node can be forced to shutdown/crash using a specially crafted message. \nMore details to be released later.\n\n**Credit**\n\nThis issue was reported to the Ethereum Foundation Bug Bounty Program by DELENE TCHIO ROMUALD.","severity":"high","status":"fixed","source":"osv","source_url":"https://github.com/ethereum/go-ethereum/security/advisories/GHSA-mr7q-c9w9-wh4h","labels":["CVE-2026-22862","GO-2026-4315"],"created_at":"2026-04-26 03:01:54.463597+00:00","updated_at":"2026-04-26 03:01:54.463597+00:00"},{"id":5162,"ecosystem":"go","package_name":"github.com/ethereum/go-ethereum","affected_version":null,"fixed_version":"1.16.8","bug_id":"osv:GHSA-mq3p-rrmp-79jg","title":"go-ethereum is vulnerable to high CPU usage leading to DoS via malicious p2p message","description":"**Impact**\n\nAn attacker can cause high CPU usage by sending a specially crafted p2p message.\nMore details to be released later.\n\n**Credit**\n\nThis issue was reported to the Ethereum Foundation Bug Bounty Program by @Yenya030","severity":"high","status":"fixed","source":"osv","source_url":"https://github.com/ethereum/go-ethereum/security/advisories/GHSA-mq3p-rrmp-79jg","labels":["CVE-2026-22868","GO-2026-4314"],"created_at":"2026-04-26 03:01:54.458012+00:00","updated_at":"2026-04-26 03:01:54.458012+00:00"},{"id":5158,"ecosystem":"go","package_name":"github.com/ethereum/go-ethereum","affected_version":null,"fixed_version":"1.8.14","bug_id":"osv:GHSA-9h4h-8w5p-f28w","title":"Go Ethereum Denial of Service","description":"`cmd/evm/runner.go` in Go Ethereum (aka geth) allows attackers to cause a denial of service (SEGV) via crafted bytecode.\n### Specific Go Packages Affected\ngithub.com/ethereum/go-ethereum/cmd/evm","severity":"high","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2018-19184","labels":["CVE-2018-19184","GO-2022-0814"],"created_at":"2026-04-26 03:01:54.441408+00:00","updated_at":"2026-04-26 03:01:54.441408+00:00"},{"id":5152,"ecosystem":"go","package_name":"github.com/ethereum/go-ethereum","affected_version":null,"fixed_version":"1.13.15","bug_id":"osv:GHSA-4xc9-8hmq-j652","title":"go-ethereum vulnerable to DoS via malicious p2p message","description":"### Impact\n\nA vulnerable node can be made to consume very large amounts of memory when handling specially crafted p2p messages sent from an attacker node.\n\nIn order to carry out the attack, the attacker establishes a peer connections to the victim, and sends a malicious `GetBlockHeadersRequest` message with a `count` of  `0`, using the `ETH` protocol. \n\nIn `descendants := chain.GetHeadersFrom(num+count-1, count-1)`, the value of `count-1` is passed to the function `GetHeadersFrom(number, count uint64)` as parameter `count`. Due to integer overflow, `UINT64_MAX` value is then passed as the `count` argument to function `GetHeadersFrom(number, count uint64)`. This allows an attacker to bypass `maxHeadersServe` and request all headers from the latest block back to the genesis block. \n\n### Patches\n\nThe fix has been included in geth version `1.13.15` and onwards. \n\nThe vulnerability was patched in: https://github.com/ethereum/go-ethereum/pull/29534\n\n### Workarounds\n\nNo workarounds have been made public. \n\n### References\n\nNo more information is released at this time.\n\n### Credit\n\nThis issue was disclosed responsibly by DongHan Kim via the Ethereum bug bounty program. Thank you for your cooperation. ","severity":"high","status":"fixed","source":"osv","source_url":"https://github.com/ethereum/go-ethereum/security/advisories/GHSA-4xc9-8hmq-j652","labels":["CVE-2024-32972","GO-2024-2819"],"created_at":"2026-04-26 03:01:54.422377+00:00","updated_at":"2026-04-26 03:01:54.422377+00:00"},{"id":5151,"ecosystem":"go","package_name":"github.com/ethereum/go-ethereum","affected_version":null,"fixed_version":"1.16.9","bug_id":"osv:GHSA-2gjw-fg97-vg3r","title":"Go Ethereum affected by DoS via malicious p2p message","description":"### Impact\n\nA vulnerable node can be forced to shutdown/crash using a specially crafted message.\nMore details to be released later.\n\n### Patches\n\nThe problem is resolved in the v1.16.9 and v1.17.0 releases of Geth.\n\n### Credit\n\nThis issue was reported to the Ethereum Foundation Bug Bounty Program by Waleed Ahmed from vulsight.com","severity":"high","status":"fixed","source":"osv","source_url":"https://github.com/ethereum/go-ethereum/security/advisories/GHSA-2gjw-fg97-vg3r","labels":["CVE-2026-26314","GO-2026-4507"],"created_at":"2026-04-26 03:01:54.419513+00:00","updated_at":"2026-04-26 03:01:54.419513+00:00"},{"id":5195,"ecosystem":"go","package_name":"github.com/ethereum/go-ethereum","affected_version":null,"fixed_version":"1.16.9","bug_id":"osv:GO-2026-4511","title":"Go Ethereum Improperly Validates the ECIES Public Key in RLPx Handshake in github.com/ethereum/go-ethereum","description":"Go Ethereum Improperly Validates the ECIES Public Key in RLPx Handshake in github.com/ethereum/go-ethereum","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/ethereum/go-ethereum/security/advisories/GHSA-m6j8-rg6r-7mv8","labels":["CVE-2026-26315","GHSA-m6j8-rg6r-7mv8"],"created_at":"2026-04-26 03:01:54.548292+00:00","updated_at":"2026-04-26 03:01:54.548292+00:00"},{"id":5194,"ecosystem":"go","package_name":"github.com/ethereum/go-ethereum","affected_version":null,"fixed_version":"1.17.0","bug_id":"osv:GO-2026-4508","title":"Go Ethereum affected by DoS via malicious p2p message in github.com/ethereum/go-ethereum","description":"Go Ethereum affected by DoS via malicious p2p message in github.com/ethereum/go-ethereum","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/ethereum/go-ethereum/security/advisories/GHSA-689v-6xwf-5jf3","labels":["CVE-2026-26313","GHSA-689v-6xwf-5jf3"],"created_at":"2026-04-26 03:01:54.545684+00:00","updated_at":"2026-04-26 03:01:54.545684+00:00"},{"id":5193,"ecosystem":"go","package_name":"github.com/ethereum/go-ethereum","affected_version":null,"fixed_version":"1.16.9","bug_id":"osv:GO-2026-4507","title":"Go Ethereum affected by crash via malicious p2p message in github.com/ethereum/go-ethereum","description":"Go Ethereum affected by crash via malicious p2p message in github.com/ethereum/go-ethereum","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/ethereum/go-ethereum/security/advisories/GHSA-2gjw-fg97-vg3r","labels":["CVE-2026-26314","GHSA-2gjw-fg97-vg3r"],"created_at":"2026-04-26 03:01:54.543058+00:00","updated_at":"2026-04-26 03:01:54.543058+00:00"},{"id":5192,"ecosystem":"go","package_name":"github.com/ethereum/go-ethereum","affected_version":null,"fixed_version":"1.16.8","bug_id":"osv:GO-2026-4315","title":"DoS via malicious p2p message affecting a vulnerable node in github.com/ethereum/go-ethereum","description":"DoS via malicious p2p message affecting a vulnerable node in github.com/ethereum/go-ethereum","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/ethereum/go-ethereum/security/advisories/GHSA-mr7q-c9w9-wh4h","labels":["CVE-2026-22862","GHSA-mr7q-c9w9-wh4h"],"created_at":"2026-04-26 03:01:54.540397+00:00","updated_at":"2026-04-26 03:01:54.540397+00:00"},{"id":5191,"ecosystem":"go","package_name":"github.com/ethereum/go-ethereum","affected_version":null,"fixed_version":"1.16.8","bug_id":"osv:GO-2026-4314","title":"High CPU usage leading to DoS via malicious p2p message in github.com/ethereum/go-ethereum","description":"High CPU usage leading to DoS via malicious p2p message in github.com/ethereum/go-ethereum","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/ethereum/go-ethereum/security/advisories/GHSA-mq3p-rrmp-79jg","labels":["CVE-2026-22868","GHSA-mq3p-rrmp-79jg"],"created_at":"2026-04-26 03:01:54.537755+00:00","updated_at":"2026-04-26 03:01:54.537755+00:00"},{"id":5190,"ecosystem":"go","package_name":"github.com/ethereum/go-ethereum","affected_version":"1.14.0","fixed_version":"1.14.13","bug_id":"osv:GO-2025-3436","title":"Go Ethereum vulnerable to DoS via malicious p2p message in github.com/ethereum/go-ethereum","description":"Go Ethereum vulnerable to DoS via malicious p2p message in github.com/ethereum/go-ethereum","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/ethereum/go-ethereum/security/advisories/GHSA-q26p-9cq4-7fc2","labels":["CVE-2025-24883","GHSA-q26p-9cq4-7fc2"],"created_at":"2026-04-26 03:01:54.535139+00:00","updated_at":"2026-04-26 03:01:54.535139+00:00"},{"id":5189,"ecosystem":"go","package_name":"github.com/ethereum/go-ethereum","affected_version":null,"fixed_version":"1.13.15","bug_id":"osv:GO-2024-2819","title":"Denial of Service in github.com/ethereum/go-ethereum","description":"A vulnerable node can be made to consume very large amounts of memory when handling specially crafted p2p messages sent from an attacker node. This can result in a denial of service as the node runs out of memory.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-4xc9-8hmq-j652","labels":["CVE-2024-32972","GHSA-4xc9-8hmq-j652"],"created_at":"2026-04-26 03:01:54.532522+00:00","updated_at":"2026-04-26 03:01:54.532522+00:00"},{"id":5188,"ecosystem":"go","package_name":"github.com/ethereum/go-ethereum","affected_version":null,"fixed_version":"1.12.1","bug_id":"osv:GO-2023-2046","title":"Unbounded memory consumption in github.com/ethereum/go-ethereum","description":"Unbounded memory consumption in github.com/ethereum/go-ethereum","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/ethereum/go-ethereum/security/advisories/GHSA-ppjg-v974-84cm","labels":["CVE-2023-40591","GHSA-ppjg-v974-84cm"],"created_at":"2026-04-26 03:01:54.529870+00:00","updated_at":"2026-04-26 03:01:54.529870+00:00"},{"id":5187,"ecosystem":"go","package_name":"github.com/ethereum/go-ethereum","affected_version":null,"fixed_version":"1.8.14","bug_id":"osv:GO-2022-0871","title":"Go Ethereum Improper Input Validation in github.com/ethereum/go-ethereum","description":"Go Ethereum Improper Input Validation in github.com/ethereum/go-ethereum","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-qr2j-wrhx-4829","labels":["CVE-2018-16733","GHSA-qr2j-wrhx-4829"],"created_at":"2026-04-26 03:01:54.527310+00:00","updated_at":"2026-04-26 03:01:54.527310+00:00"},{"id":5186,"ecosystem":"go","package_name":"github.com/ethereum/go-ethereum","affected_version":null,"fixed_version":"1.8.14","bug_id":"osv:GO-2022-0814","title":"Go Ethereum Denial of Service in github.com/ethereum/go-ethereum","description":"Go Ethereum Denial of Service in github.com/ethereum/go-ethereum","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-9h4h-8w5p-f28w","labels":["CVE-2018-19184","GHSA-9h4h-8w5p-f28w"],"created_at":"2026-04-26 03:01:54.524670+00:00","updated_at":"2026-04-26 03:01:54.524670+00:00"},{"id":5185,"ecosystem":"go","package_name":"github.com/ethereum/go-ethereum","affected_version":null,"fixed_version":"1.9.24","bug_id":"osv:GO-2022-0775","title":"Erroneous Proof of Work calculation in geth in github.com/ethereum/go-ethereum","description":"Erroneous Proof of Work calculation in geth in github.com/ethereum/go-ethereum","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/ethereum/go-ethereum/security/advisories/GHSA-v592-xf75-856p","labels":["CVE-2020-26240","GHSA-v592-xf75-856p"],"created_at":"2026-04-26 03:01:54.521967+00:00","updated_at":"2026-04-26 03:01:54.521967+00:00"},{"id":5184,"ecosystem":"go","package_name":"github.com/ethereum/go-ethereum","affected_version":"1.9.7","fixed_version":"1.9.17","bug_id":"osv:GO-2022-0771","title":"Shallow copy bug in geth in github.com/ethereum/go-ethereum","description":"Shallow copy bug in geth in github.com/ethereum/go-ethereum","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/ethereum/go-ethereum/security/advisories/GHSA-69v6-xc2j-r2jf","labels":["CVE-2020-26241","GHSA-69v6-xc2j-r2jf"],"created_at":"2026-04-26 03:01:54.519437+00:00","updated_at":"2026-04-26 03:01:54.519437+00:00"},{"id":5183,"ecosystem":"go","package_name":"github.com/ethereum/go-ethereum","affected_version":null,"fixed_version":"1.10.17","bug_id":"osv:GO-2022-0456","title":"DoS via malicious p2p message in Go Ethereum in github.com/ethereum/go-ethereum","description":"DoS via malicious p2p message in Go Ethereum in github.com/ethereum/go-ethereum","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/ethereum/go-ethereum/security/advisories/GHSA-wjxw-gh3m-7pm5","labels":["CVE-2022-29177","GHSA-wjxw-gh3m-7pm5"],"created_at":"2026-04-26 03:01:54.516771+00:00","updated_at":"2026-04-26 03:01:54.516771+00:00"},{"id":5182,"ecosystem":"go","package_name":"github.com/ethereum/go-ethereum","affected_version":null,"fixed_version":"1.9.24","bug_id":"osv:GO-2022-0392","title":"Denial of service in go-ethereum due to CVE-2020-28362 in github.com/ethereum/go-ethereum","description":"Denial of service in go-ethereum due to CVE-2020-28362 in github.com/ethereum/go-ethereum","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/ethereum/go-ethereum/security/advisories/GHSA-m6gx-rhvj-fh52","labels":["GHSA-m6gx-rhvj-fh52"],"created_at":"2026-04-26 03:01:54.514102+00:00","updated_at":"2026-04-26 03:01:54.514102+00:00"},{"id":5181,"ecosystem":"go","package_name":"github.com/ethereum/go-ethereum","affected_version":null,"fixed_version":"1.10.9","bug_id":"osv:GO-2022-0256","title":"Panic via maliciously crafted message in github.com/ethereum/go-ethereum","description":"A maliciously crafted snap/1 protocol message can cause a panic.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/ethereum/go-ethereum/pull/23657/commits/f1fd963a5a965e643e52fcf805a2a02a323c32b8","labels":["CVE-2021-41173","GHSA-59hh-656j-3p7v"],"created_at":"2026-04-26 03:01:54.511503+00:00","updated_at":"2026-04-26 03:01:54.511503+00:00"},{"id":5180,"ecosystem":"go","package_name":"github.com/ethereum/go-ethereum","affected_version":null,"fixed_version":"1.10.8","bug_id":"osv:GO-2022-0254","title":"Consensus flaw during block processing in github.com/ethereum/go-ethereum","description":"A vulnerability in the Geth EVM can cause a node to reject the canonical chain.\n\nA memory-corruption bug within the EVM can cause a consensus error, where vulnerable nodes obtain a different stateRoot when processing a maliciously crafted transaction. This, in turn, would lead to the chain being split in two forks.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/ethereum/go-ethereum/pull/23381/commits/4d4879cafd1b3c906fc184a8c4a357137465128f","labels":["CVE-2021-39137","GHSA-9856-9gg9-qcmq"],"created_at":"2026-04-26 03:01:54.508854+00:00","updated_at":"2026-04-26 03:01:54.508854+00:00"},{"id":5179,"ecosystem":"go","package_name":"github.com/ethereum/go-ethereum","affected_version":"1.9.4","fixed_version":"1.9.20","bug_id":"osv:GO-2021-0105","title":"Consensus flaw in github.com/ethereum/go-ethereum","description":"Due to an incorrect state calculation, a specific set of transactions could cause a consensus disagreement, causing users of this package to reject a canonical chain.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/ethereum/go-ethereum/pull/21080","labels":["CVE-2020-26265","GHSA-xw37-57qp-9mm4"],"created_at":"2026-04-26 03:01:54.506155+00:00","updated_at":"2026-04-26 03:01:54.506155+00:00"},{"id":5178,"ecosystem":"go","package_name":"github.com/ethereum/go-ethereum","affected_version":null,"fixed_version":"1.8.11","bug_id":"osv:GO-2021-0075","title":"Panic due to improper validation of RPC messages in github.com/ethereum/go-ethereum","description":"Due to improper argument validation in RPC messages, a maliciously crafted message can cause a panic, leading to denial of service.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/ethereum/go-ethereum/pull/16891","labels":["CVE-2018-12018","GHSA-p5gc-957x-gfw9"],"created_at":"2026-04-26 03:01:54.503498+00:00","updated_at":"2026-04-26 03:01:54.503498+00:00"},{"id":5177,"ecosystem":"go","package_name":"github.com/ethereum/go-ethereum","affected_version":null,"fixed_version":"1.9.25","bug_id":"osv:GO-2021-0063","title":"Nil pointer dereference via malicious RPC message in github.com/ethereum/go-ethereum","description":"Due to a nil pointer dereference, a maliciously crafted RPC message can cause a panic. If handling RPC messages from untrusted clients, this may be used as a denial of service vector.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/ethereum/go-ethereum/pull/21896","labels":["CVE-2020-26264","GHSA-r33q-22hv-j29q"],"created_at":"2026-04-26 03:01:54.500819+00:00","updated_at":"2026-04-26 03:01:54.500819+00:00"},{"id":5176,"ecosystem":"go","package_name":"github.com/ethereum/go-ethereum","affected_version":"1.9.4","fixed_version":"1.9.20","bug_id":"osv:GHSA-xw37-57qp-9mm4","title":"Consensus flaw during block processing in github.com/ethereum/go-ethereum","description":"### Impact\n\nA consensus-vulnerability in Geth could cause a chain split, where vulnerable versions refuse to accept the canonical chain. \n\n### Description\n\n\nA flaw was repoted at 2020-08-11 by John Youngseok Yang (Software Platform Lab), where a particular sequence of transactions could cause a consensus failure.\n\n- Tx 1:\n  - `sender` invokes `caller`.\n  - `caller` invokes `0xaa`. `0xaa` has 3 wei, does a self-destruct-to-self\n  - `caller` does a  `1 wei` -call to `0xaa`, who thereby has 1 wei (the code in `0xaa` still executed, since the tx is still ongoing, but doesn't redo the selfdestruct, it takes a different path if callvalue is non-zero)\n\n- Tx 2:\n  - `sender` does a 5-wei call to 0xaa. No exec (since no code). \n\nIn geth, the result would be that `0xaa` had `6 wei`, whereas OE reported (correctly) `5` wei. Furthermore, in geth, if the second tx was not executed, the `0xaa` would be destructed, resulting in `0 wei`. Thus obviously wrong. \n\nIt was determined that the root cause was this [commit](https://github.com/ethereum/go-ethereum/commit/223b950944f494a5b4e0957fd9f92c48b09037ad) from [this PR](https://github.com/ethereum/go-ethereum/pull/19953). The semantics of `createObject` was subtly changd, into returning a non-nil object (with `deleted=true`) where it previously did not if the account had been destructed. This return value caused the new object to inherit the old `balance`:\n\n```golang\nfunc (s *StateDB) CreateAccount(addr common.Address) {\n\tnewObj, prev := s.createObject(addr)\n\tif prev != nil {\n\t\tnewObj.setBalance(prev.data.Balance)\n\t}\n}\n```\n\nIt was determined that the minimal possible correct fix was\n\n```diff\n+++ b/core/state/statedb.go\n@@ -589,7 +589,10 @@ func (s *StateDB) createObject(addr common.Address) (newobj, prev *stateObject)\n                s.journal.append(resetObjectChange{prev: prev, prevdestruct: prevdestruct})\n        }\n        s.setStateObject(newobj)\n-       return newobj, prev\n+       if prev != nil && !prev.deleted {\n+               return newobj, prev\n+       }\n+       return newobj, nil\n```\n\n### Patches\n\nSee above. The fix was included in Geth `v1.9.20` \"Paragade\".\n\n### Credits\n\nThe bug was found by @johnyangk and reported via bounty@ethereum.org.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [go-ethereum](https://github.com/ethereum/go-ethereum)\n* Email us at [security@ethereum.org](mailto:security@ethereum.org)","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/ethereum/go-ethereum/security/advisories/GHSA-xw37-57qp-9mm4","labels":["CVE-2020-26265","GO-2021-0105"],"created_at":"2026-04-26 03:01:54.498158+00:00","updated_at":"2026-04-26 03:01:54.498158+00:00"},{"id":5175,"ecosystem":"go","package_name":"github.com/ethereum/go-ethereum","affected_version":null,"fixed_version":"1.10.17","bug_id":"osv:GHSA-wjxw-gh3m-7pm5","title":"DoS via malicious p2p message in Go Ethereum","description":"### Impact\n\nA vulnerable node, if configured to use high verbosity logging, can be made to crash when handling specially crafted p2p messages sent from an attacker node. \n\n### Patches\n\nThe following PR addresses the problem: https://github.com/ethereum/go-ethereum/pull/24507\n\n### Workarounds\n\nAside from applying the PR linked above, setting loglevel to default level (`INFO`) makes the node not vulnerable to this attack.\n\n### Credits\n\nThis bug was reported by `nrv` via bounty@ethereum.org, who has gracefully requested that the bounty rewards be donated to Médecins sans frontières.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [go-ethereum](https://github.com/ethereum/go-ethereum)\n","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/ethereum/go-ethereum/security/advisories/GHSA-wjxw-gh3m-7pm5","labels":["CVE-2022-29177","GO-2022-0456"],"created_at":"2026-04-26 03:01:54.495578+00:00","updated_at":"2026-04-26 03:01:54.495578+00:00"},{"id":5171,"ecosystem":"go","package_name":"github.com/ethereum/go-ethereum","affected_version":null,"fixed_version":"1.9.24","bug_id":"osv:GHSA-v592-xf75-856p","title":"Erroneous Proof of Work calculation in geth","description":"### Impact\nAn ethash mining DAG generation flaw in Geth could cause miners to erroneously calculate PoW in an upcoming epoch (estimated early January, 2021). This happened on the ETC chain on 2020-11-06. This issue is relevant only for miners, non-mining nodes are unaffected.\n\n### Patches\nThis issue is also fixed as of 1.9.24. Thanks to @slavikus for bringing the issue to our attention and writing the fix. \n\n### Workarounds\nThis PR implements a patch: https://github.com/ethereum/go-ethereum/pull/21793 \n\n### References\nhttps://blog.ethereum.org/2020/11/12/geth_security_release/\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [go-ethereum](https://github.com/ethereum/go-ethereum)\n* Email us at [security@ethereum.org](mailto:security@ethereum.org)","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/ethereum/go-ethereum/security/advisories/GHSA-v592-xf75-856p","labels":["CVE-2020-26240","GO-2022-0775"],"created_at":"2026-04-26 03:01:54.485026+00:00","updated_at":"2026-04-26 03:01:54.485026+00:00"},{"id":5170,"ecosystem":"go","package_name":"github.com/ethereum/go-ethereum","affected_version":null,"fixed_version":null,"bug_id":"osv:GHSA-rqmg-hrg4-fm69","title":"Go Ethereum allows attackers to use manipulation of time-difference values to achieve replacement of main-chain blocks","description":"Go Ethereum (aka geth) through 1.10.21 allows attackers to increase rewards by mining blocks in certain situations, and using a manipulation of time-difference values to achieve replacement of main-chain blocks, aka Riskless Uncle Making (RUM), as exploited in the wild in 2020 through 2022.","severity":"medium","status":"open","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-37450","labels":["CVE-2022-37450"],"created_at":"2026-04-26 03:01:54.482405+00:00","updated_at":"2026-04-26 03:01:54.482405+00:00"},{"id":5169,"ecosystem":"go","package_name":"github.com/ethereum/go-ethereum","affected_version":null,"fixed_version":"1.9.25","bug_id":"osv:GHSA-r33q-22hv-j29q","title":"Denial of service in github.com/ethereum/go-ethereum","description":"### Impact\n\nA DoS vulnerability can make a LES server crash via malicious `GetProofsV2` request from a connected LES client.\n\n### Patches\n\nThe vulnerability was patched in https://github.com/ethereum/go-ethereum/pull/21896. \n\n### Workarounds\n\nThis vulnerability only concerns users explicitly enabling `les` server; disabling `les` prevents the exploit. \nIt can also be patched by manually applying the patch in https://github.com/ethereum/go-ethereum/pull/21896. \n\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [go-ethereum](https://github.com/ethereum/go-ethereum)\n* Email us at [security@ethereum.org](mailto:security@ethereum.org)","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/ethereum/go-ethereum/security/advisories/GHSA-r33q-22hv-j29q","labels":["CVE-2020-26264","GO-2021-0063"],"created_at":"2026-04-26 03:01:54.479776+00:00","updated_at":"2026-04-26 03:01:54.479776+00:00"},{"id":5167,"ecosystem":"go","package_name":"github.com/ethereum/go-ethereum","affected_version":"1.14.0","fixed_version":"1.14.13","bug_id":"osv:GHSA-q26p-9cq4-7fc2","title":"Go Ethereum vulnerable to DoS via malicious p2p message","description":"### Impact\n\nA vulnerable node can be forced to shutdown/crash using a specially crafted message.\n\nDuring the peer-to-peer connection handshake, a shared secret key is computed. The implementation\ndid not verify whether the EC public key provided by the remote party is a valid point on the secp256k1 curve.\nBy simply sending an all-zero public key, a crash could be induced due to unexpected results from the handshake.\n\nThe issue was fixed by adding a curve point validity check in https://github.com/ethereum/go-ethereum/commit/159fb1a1db551c544978dc16a5568a4730b4abf3\n\n### Patches\n\nA fix has been included in geth version 1.14.13 and onwards.\n\n### Workarounds\n\nUnfortunately, no workaround is available.\n\n### Credits\n\nThis issue was originally reported to Polygon Security by David Matosse (@iam-ned).","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/ethereum/go-ethereum/security/advisories/GHSA-q26p-9cq4-7fc2","labels":["CVE-2025-24883","GO-2025-3436"],"created_at":"2026-04-26 03:01:54.474220+00:00","updated_at":"2026-04-26 03:01:54.474220+00:00"},{"id":5161,"ecosystem":"go","package_name":"github.com/ethereum/go-ethereum","affected_version":null,"fixed_version":"1.16.9","bug_id":"osv:GHSA-m6j8-rg6r-7mv8","title":"Go Ethereum Improperly Validates the ECIES Public Key in RLPx Handshake","description":"### Impact\n\nThrough a flaw in the ECIES cryptography implementation, an attacker may be able to extract bits of the p2p node key.\n\n### Patches\n\nThe issue is resolved in the v1.16.9 and v1.17.0 releases of Geth. We recommend rotating the node key after applying the upgrade, which can be done by removing the file `<datadir>/geth/nodekey` before starting Geth.\n\n### Credit\n\nThe issue was reported as a public pull request to go-ethereum by @fengjian.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/ethereum/go-ethereum/security/advisories/GHSA-m6j8-rg6r-7mv8","labels":["CVE-2026-26315","GO-2026-4511"],"created_at":"2026-04-26 03:01:54.453488+00:00","updated_at":"2026-04-26 03:01:54.453488+00:00"},{"id":5159,"ecosystem":"go","package_name":"github.com/ethereum/go-ethereum","affected_version":"1.9.16","fixed_version":"1.9.18","bug_id":"osv:GHSA-jm5c-rv3w-w83m","title":"Denial of service in geth","description":"### Impact\nDenial-of-service (crash) during block processing\n\n### Details\n\nAffected versions suffer from a vulnerability which can be exploited through the `MULMOD` operation, by specifying a modulo of `0`: `mulmod(a,b,0)`, causing a `panic` in the underlying library. \nThe crash was in the `uint256` library, where a buffer [underflowed](https://github.com/holiman/uint256/blob/4ce82e695c10ddad57215bdbeafb68b8c5df2c30/uint256.go#L442).\n\n\tif `d == 0`, `dLen` remains `0`\n\nand https://github.com/holiman/uint256/blob/4ce82e695c10ddad57215bdbeafb68b8c5df2c30/uint256.go#L451 will try to access index `[-1]`.\n\nThe `uint256` library was first merged in this [commit](https://github.com/ethereum/go-ethereum/commit/cf6674539c589f80031f3371a71c6a80addbe454), on 2020-06-08. \nExploiting this vulnerabilty would cause all vulnerable nodes to drop off the network. \n\nThe issue was brought to our attention through a [bug report](https://github.com/ethereum/go-ethereum/issues/21367), showing a `panic` occurring on sync from genesis on the Ropsten network.\n \nIt was estimated that the least obvious way to fix this would be to merge the fix into `uint256`, make a new release of that library and then update the geth-dependency.\n\n- https://github.com/holiman/uint256/releases/tag/v1.1.1 was made the same day, \n- PR to address the issue: https://github.com/holiman/uint256/pull/80 \n- PR to update geth deps: https://github.com/ethereum/go-ethereum/pull/21368 \n\n\n\n### Patches\n\nUpgrade to v1.9.18 or higher\n\n### Workarounds\n\nNot at this time\n\n### References\n\nhttps://blog.ethereum.org/2020/11/12/geth_security_release/\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [go-ethereum](https://github.com/ethereum/go-ethereum)\n* Email us at [security@ethereum.org](mailto:security@ethereum.org)\n","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/ethereum/go-ethereum/security/advisories/GHSA-jm5c-rv3w-w83m","labels":["CVE-2020-26242","GO-2021-0103"],"created_at":"2026-04-26 03:01:54.445407+00:00","updated_at":"2026-04-26 03:01:54.445407+00:00"},{"id":5157,"ecosystem":"go","package_name":"github.com/ethereum/go-ethereum","affected_version":"1.10.0","fixed_version":"1.10.8","bug_id":"osv:GHSA-9856-9gg9-qcmq","title":"Ethereum Contains Consensus Flaw During Block Processing","description":"### Impact\n\nA vulnerability in the Geth EVM could cause a node to reject the canonical chain. \n\n### Description \n\nA memory-corruption bug within the EVM can cause a consensus error, where vulnerable nodes obtain a different `stateRoot` when processing a maliciously crafted transaction. This, in turn, would lead to the chain being split in two forks.\n\nAll Geth versions supporting the London hard fork are vulnerable (which predates London), so all users should update.\n\nThis bug was exploited on Mainnet at block 13107518, leading to a minority chain split. \n\n### Patches\n\nA patch is included in the `v1.10.8` release.\nThe exact patch to fix the issue is contained within this [commit](https://github.com/ethereum/go-ethereum/pull/23381/commits/4d4879cafd1b3c906fc184a8c4a357137465128f)\n\n### Workarounds\n\nNo workarounds exist, save to update and/or apply the patch commit. \n\n### References. \n\nPost-mortem [write-up](https://github.com/ethereum/go-ethereum/blob/master/docs/postmortems/2021-08-22-split-postmortem.md).\n\n### Credits\n\nThe bug was found by @guidovranken (working for [Sentnl](https://sentnl.io/) during an audit of the [Telos EVM](https://www.telos.net/evm)) and reported via bounty@ethereum.org.\n\n### For more information\nIf you have any questions or comments about this advisory:\n\n* Open an issue in [go-ethereum](https://github.com/ethereum/go-ethereum/)\n* Email us at [security@ethereum.org](mailto:security@ethereum.org)\n","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/ethereum/go-ethereum/security/advisories/GHSA-9856-9gg9-qcmq","labels":["CVE-2021-39137","GO-2022-0254"],"created_at":"2026-04-26 03:01:54.438180+00:00","updated_at":"2026-04-26 03:01:54.438180+00:00"},{"id":5156,"ecosystem":"go","package_name":"github.com/ethereum/go-ethereum","affected_version":"1.9.7","fixed_version":"1.9.17","bug_id":"osv:GHSA-69v6-xc2j-r2jf","title":"Shallow copy bug in geth","description":"### Impact\nThis is a Consensus vulnerability, which can be used to cause a chain-split where vulnerable nodes reject the canonical chain. \n\nGeth’s pre-compiled `dataCopy` (at `0x00...04`) contract did a shallow copy on invocation. An attacker could deploy a contract that \n\n- writes `X` to an EVM memory region `R`,\n- calls `0x00..04` with `R` as an argument,\n- overwrites `R` to `Y`,\n- and finally invokes the `RETURNDATACOPY` opcode.\n\nWhen this contract is invoked, a consensus-compliant node would push `X` on the EVM stack, whereas Geth would push `Y`.\n\n\n### Patches\n\nNo standalone patches have been made. \n\n### Workarounds\n\nUpgrade to `1.9.17` or higher.\n\n### References\n\nhttps://blog.ethereum.org/2020/11/12/geth_security_release/\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [go-ethereum](https://github.com/ethereum/go-ethereum)\n* Email us at [security@ethereum.org](mailto:security@ethereum.org)\n","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/ethereum/go-ethereum/security/advisories/GHSA-69v6-xc2j-r2jf","labels":["CVE-2020-26241","GO-2022-0771"],"created_at":"2026-04-26 03:01:54.432919+00:00","updated_at":"2026-04-26 03:01:54.432919+00:00"},{"id":5155,"ecosystem":"go","package_name":"github.com/ethereum/go-ethereum","affected_version":null,"fixed_version":"1.17.0","bug_id":"osv:GHSA-689v-6xwf-5jf3","title":"Go Ethereum affected by DoS via malicious p2p message","description":"### Impact\n\nAn attacker can cause high memory usage by sending a specially-crafted p2p message.\nMore details to be released later.\n\n### Patches\n\nThe issue is resolved in the v1.17.0 release. \n\n### Credit\n\nThis issue was reported to the Ethereum Foundation Bug Bounty Program by @revofusion","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/ethereum/go-ethereum/security/advisories/GHSA-689v-6xwf-5jf3","labels":["CVE-2026-26313","GO-2026-4508"],"created_at":"2026-04-26 03:01:54.430233+00:00","updated_at":"2026-04-26 03:01:54.430233+00:00"},{"id":5154,"ecosystem":"go","package_name":"github.com/ethereum/go-ethereum","affected_version":null,"fixed_version":null,"bug_id":"osv:GHSA-5m8f-chrv-7rw5","title":"Denial of Service in Go-Ethereum","description":"Go-Ethereum 1.10.9 nodes crash (denial of service) after receiving a serial of messages and cannot be recovered. They will crash with \"runtime error: invalid memory address or nil pointer dereference\" and arise a SEGV signal.","severity":"medium","status":"open","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-43668","labels":["CVE-2021-43668"],"created_at":"2026-04-26 03:01:54.427573+00:00","updated_at":"2026-04-26 03:01:54.427573+00:00"},{"id":5153,"ecosystem":"go","package_name":"github.com/ethereum/go-ethereum","affected_version":null,"fixed_version":"1.10.9","bug_id":"osv:GHSA-59hh-656j-3p7v","title":"Geth Node Vulnerable to DoS via maliciously crafted p2p message","description":"### Impact\n\nA vulnerable node is susceptible to crash when processing a maliciously crafted message from a peer, via the `snap/1` protocol. The crash can be triggered by sending a malicious `snap/1` `GetTrieNodes` package. \n\n### Details\n\nOn September 21, 2021, geth-team member Gary Rong (@rjl493456442) found a way to crash the snap request handler . \nBy using this vulnerability, a peer connected on the `snap/1` protocol could cause a vulnerable node to crash with a `panic`.\n\nIn the `trie.TryGetNode` implementation, if the requested path is reached, the associated node will be returned. However the nilness is\nnot checked there.\n\n```golang\nfunc (t *Trie) tryGetNode(origNode node, path []byte, pos int) (item []byte, newnode node, resolved int, err error) {\n\t// If we reached the requested path, return the current node\n\tif pos >= len(path) {\n\t\t// Although we most probably have the original node expanded, encoding\n\t\t// that into consensus form can be nasty (needs to cascade down) and\n\t\t// time consuming. Instead, just pull the hash up from disk directly.\n\t\tvar hash hashNode\n\t\tif node, ok := origNode.(hashNode); ok {\n\t\t\thash = node\n\t\t} else {\n\t\t\thash, _ = origNode.cache()\n\t\t}\n```\nMore specifically the `origNode` can be nil(e.g. the child of fullnode) and system can panic at line `hash, _ = origNode.cache()`. \n\nWhen investigating this, @holiman tried to find it via fuzzing, which uncovered a second crasher, also related to the snap `GetTrieNodes` package. If the caller requests a storage trie:\n```golang\n\t\t\t\t// Storage slots requested, open the storage trie and retrieve from there\n\t\t\t\taccount, err := snap.Account(common.BytesToHash(pathset[0]))\n\t\t\t\tloads++ // always account database reads, even for failures\n\t\t\t\tif account == nil {\n\t\t\t\t\tbreak\n\t\t\t\t}\n\t\t\t\tstTrie, err := trie.NewSecure(common.BytesToHash(account.Root), triedb)\n```\nThe code assumes that `snap.Account` returns _either_ a non-nil response unless `error` is also provided. This is however not the case, since `snap.Account` can return `nil, nil`. \n\n### Patches\n\n```diff\n--- a/eth/protocols/snap/handler.go\n+++ b/eth/protocols/snap/handler.go\n@@ -469,7 +469,7 @@ func handleMessage(backend Backend, peer *Peer) error {\n \t\t\t\t// Storage slots requested, open the storage trie and retrieve from there\n \t\t\t\taccount, err := snap.Account(common.BytesToHash(pathset[0]))\n \t\t\t\tloads++ // always account database reads, even for failures\n-\t\t\t\tif err != nil {\n+\t\t\t\tif err != nil || account == nil {\n \t\t\t\t\tbreak\n \t\t\t\t}\n \t\t\t\tstTrie, err := trie.NewSecure(common.BytesToHash(account.Root), triedb)\ndiff --git a/trie/trie.go b/trie/trie.go\nindex 7ea7efa835..d0f0d4e2bc 100644\n--- a/trie/trie.go\n+++ b/trie/trie.go\n@@ -174,6 +174,10 @@ func (t *Trie) TryGetNode(path []byte) ([]byte, int, error) {\n }\n \n func (t *Trie) tryGetNode(origNode node, path []byte, pos int) (item []byte, newnode node, resolved int, err error) {\n+\t// If non-existent path requested, abort\n+\tif origNode == nil {\n+\t\treturn nil, nil, 0, nil\n+\t}\n \t// If we reached the requested path, return the current node\n \tif pos >= len(path) {\n \t\t// Although we most probably have the original node expanded, encoding\n@@ -193,10 +197,6 @@ func (t *Trie) tryGetNode(origNode node, path []byte, pos int) (item []byte, new\n \t}\n \t// Path still needs to be traversed, descend into children\n \tswitch n := (origNode).(type) {\n-\tcase nil:\n-\t\t// Non-existent path requested, abort\n-\t\treturn nil, nil, 0, nil\n-\n \tcase valueNode:\n \t\t// Path prematurely ended, abort\n \t\treturn nil, nil, 0, nil\n\n``` \nThe fixes were merged into [#23657](https://github.com/ethereum/go-ethereum/pull/23657), with commit [f1fd963](https://github.com/ethereum/go-ethereum/pull/23657/commits/f1fd963a5a965e643e52fcf805a2a02a323c32b8), and released as part of Geth [v1.10.9](https://github.com/ethereum/go-ethereum/tree/v1.10.9) on Sept 29, 2021. \n\n### Workarounds\n\nApply the patch above or upgrade to a version which is not vulnerable.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [go-ethereum](https://github.com/ethereum/go-ethereum/)\n* Email us at [security@ethereum.org](mailto:security@ethereum.org)\n","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/ethereum/go-ethereum/security/advisories/GHSA-59hh-656j-3p7v","labels":["CVE-2021-41173","GO-2022-0256"],"created_at":"2026-04-26 03:01:54.424973+00:00","updated_at":"2026-04-26 03:01:54.424973+00:00"},{"id":5160,"ecosystem":"go","package_name":"github.com/ethereum/go-ethereum","affected_version":null,"fixed_version":"1.9.24","bug_id":"osv:GHSA-m6gx-rhvj-fh52","title":"Denial of service in go-ethereum due to CVE-2020-28362","description":"### Impact\nVersions of Geth built with Go `<1.15.5` or `<1.14.12` are most likely affected by a critical DoS-related security vulnerability. The golang team has registered the underlying flaw as ‘CVE-2020-28362’.\n\nWe recommend all users to rebuild (ideally `v1.9.24`) with Go `1.15.5` or `1.14.12`, to avoid node crashes. Alternatively, if you are running binaries distributed via one of our official channels, we’re going to release `v1.9.24` ourselves built with Go `1.15.5`.\n\n### Patches\nThis is not an issue in go-ethereum, rebuilding an older version with Go `1.15.5` or `1.14.12` will suffice to address the vulnerability. \n\n### Workarounds\nRebuilding with Go `1.15.5` or `1.14.12` will suffice to address the vulnerability. \n\n### References\n- https://blog.ethereum.org/2020/11/12/geth_security_release/\n- https://groups.google.com/g/golang-announce/c/NpBGTTmKzpM\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [go-ethereum](https://github.com/ethereum/go-ethereum)\n* Email us at [security@ethereum.org](mailto:security@ethereum.org)\n","severity":"critical","status":"fixed","source":"osv","source_url":"https://github.com/ethereum/go-ethereum/security/advisories/GHSA-m6gx-rhvj-fh52","labels":["GO-2022-0392"],"created_at":"2026-04-26 03:01:54.448464+00:00","updated_at":"2026-04-26 03:01:54.448464+00:00"}],"total":45,"_cache":"hit"}