{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-26313", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-13T16:27:51.807Z", "datePublished": "2026-02-19T21:07:37.943Z", "dateUpdated": "2026-02-20T19:53:54.846Z"}, "containers": {"cna": {"title": "Go Ethereum affected by DoS via malicious p2p message", "problemTypes": [{"descriptions": [{"cweId": "CWE-770", "lang": "en", "description": "CWE-770: Allocation of Resources Without Limits or Throttling", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 6.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/ethereum/go-ethereum/security/advisories/GHSA-689v-6xwf-5jf3", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ethereum/go-ethereum/security/advisories/GHSA-689v-6xwf-5jf3"}, {"name": "https://github.com/ethereum/go-ethereum/releases/tag/v1.17.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/ethereum/go-ethereum/releases/tag/v1.17.0"}], "affected": [{"vendor": "ethereum", "product": "go-ethereum", "versions": [{"version": "< 1.17.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-19T21:07:37.943Z"}, "descriptions": [{"lang": "en", "value": "go-ethereum (geth) is a golang execution layer implementation of the Ethereum protocol. Prior to version 1.17.0, an attacker can cause high memory usage by sending a specially-crafted p2p message. The issue is resolved in the v1.17.0 release."}], "source": {"advisory": "GHSA-689v-6xwf-5jf3", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-20T19:51:54.100199Z", "id": "CVE-2026-26313", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-20T19:53:54.846Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-26313", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-20T19:51:54.100199Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-20T19:53:49.667Z"}}], "cna": {"title": "Go Ethereum affected by DoS via malicious p2p message", "source": {"advisory": "GHSA-689v-6xwf-5jf3", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "ethereum", "product": "go-ethereum", "versions": [{"status": "affected", "version": "< 1.17.0"}]}], "references": [{"url": "https://github.com/ethereum/go-ethereum/security/advisories/GHSA-689v-6xwf-5jf3", "name": "https://github.com/ethereum/go-ethereum/security/advisories/GHSA-689v-6xwf-5jf3", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/ethereum/go-ethereum/releases/tag/v1.17.0", "name": "https://github.com/ethereum/go-ethereum/releases/tag/v1.17.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "go-ethereum (geth) is a golang execution layer implementation of the Ethereum protocol. Prior to version 1.17.0, an attacker can cause high memory usage by sending a specially-crafted p2p message. The issue is resolved in the v1.17.0 release."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-770", "description": "CWE-770: Allocation of Resources Without Limits or Throttling"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-19T21:07:37.943Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26313", "state": "PUBLISHED", "dateUpdated": "2026-02-20T19:53:54.846Z", "dateReserved": "2026-02-13T16:27:51.807Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-19T21:07:37.943Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ethereum:go_ethereum:*:*:*:*:*:*:*:*", "matchCriteriaId": "2E92650F-E3FF-467C-9B14-FE9C101C0EE4", "versionEndExcluding": "1.17.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "go-ethereum (geth) is a golang execution layer implementation of the Ethereum protocol. Prior to version 1.17.0, an attacker can cause high memory usage by sending a specially-crafted p2p message. The issue is resolved in the v1.17.0 release."}], "id": "CVE-2026-26313", "lastModified": "2026-02-23T18:41:53.410", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-19T21:18:31.980", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/ethereum/go-ethereum/releases/tag/v1.17.0"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/ethereum/go-ethereum/security/advisories/GHSA-689v-6xwf-5jf3"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.17.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "go-ethereum", "source": "cna", "vendor": "ethereum"}, "product": "go_ethereum", "vendor": "ethereum"}], "analysis": {"en": {"generated_at": "2026-04-17T17:53:00.140149+00:00", "value": {"mitigation_remediation": ["Update Go Ethereum to version 1.17.0 or later to apply the vendor\u2011provided fix.", "Restrict connections to trusted peers by configuring the node\u2019s P2P settings or using a firewall to limit inbound traffic.", "Monitor memory consumption and set operating system resource limits to detect and mitigate anomalous memory usage spikes."], "summary": {"action": "Upgrade", "impact": "Denial of Service via high memory usage"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Go Ethereum (geth) client for all versions earlier than 1.17.0. Users of any operating system that installs geth under the Ethereum organization\u2019s open source distribution are impacted. The issue was fully patched in release 1.17.0.", "description_and_impact": "A specially-crafted peer-to-peer message can cause the Go Ethereum client to allocate excessive memory, resulting in a denial of service. The vulnerability is a type of resource exhaustion flaw, mapped to CWE-770, and can severely impact the availability of the node by exhausting local system memory. If exploited, the attacker may interdict the node\u2019s ability to process normal traffic, potentially affecting the decentralised network it supports.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 6.9, indicating a moderate severity. The EPSS score is less than 1%, meaning active exploitation is currently considered unlikely. The vulnerability is not listed in CISA\u2019s KEV catalog. The attack vector is primarily remote, through a malicious p2p message sent over the Ethereum peer\u2011to\u2011peer network; the attacker does not need to compromise the node locally. Exploitation requires the node to accept the crafted message and process it without proper memory controls."}}}}, "created": "2026-02-20T09:53:55.366157+00:00", "updated": "2026-04-17T18:00:12.179562+00:00", "vendors": ["ethereum", "ethereum$PRODUCT$go_ethereum"]}