GHSA-2gjw-fg97-vg3r

Source

https://github.com/advisories/GHSA-2gjw-fg97-vg3r

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-2gjw-fg97-vg3r/GHSA-2gjw-fg97-vg3r.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-2gjw-fg97-vg3r

Aliases

CVE-2026-26314

Published

2026-02-18T22:35:15Z

Modified

2026-02-20T16:52:03.787759Z

Severity

8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator

Summary

Go Ethereum affected by DoS via malicious p2p message

Details

Impact

A vulnerable node can be forced to shutdown/crash using a specially crafted message. More details to be released later.

Patches

The problem is resolved in the v1.16.9 and v1.17.0 releases of Geth.

Credit

This issue was reported to the Ethereum Foundation Bug Bounty Program by Waleed Ahmed from vulsight.com

Database specific

{
    "nvd_published_at": "2026-02-19T22:16:46Z",
    "github_reviewed_at": "2026-02-18T22:35:15Z",
    "severity": "HIGH",
    "cwe_ids": [
        "CWE-20"
    ],
    "github_reviewed": true
}

References

Affected packages

Go / github.com/ethereum/go-ethereum

Package

Name: github.com/ethereum/go-ethereum; View open source insights on deps.dev
Purl: pkg:golang/github.com/ethereum/go-ethereum

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.16.9

Database specific

last_known_affected_version_range

"<= 1.16.8"

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-2gjw-fg97-vg3r/GHSA-2gjw-fg97-vg3r.json"