{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-26314", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-13T16:27:51.807Z", "datePublished": "2026-02-19T21:15:11.752Z", "dateUpdated": "2026-02-20T15:42:28.197Z"}, "containers": {"cna": {"title": "Go Ethereum affected by DoS via malicious p2p message", "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "lang": "en", "description": "CWE-20: Improper Input Validation", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/ethereum/go-ethereum/security/advisories/GHSA-2gjw-fg97-vg3r", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ethereum/go-ethereum/security/advisories/GHSA-2gjw-fg97-vg3r"}, {"name": "https://github.com/ethereum/go-ethereum/commit/895a8597cb16c02203e38707ed2d1da5c500fe60", "tags": ["x_refsource_MISC"], "url": "https://github.com/ethereum/go-ethereum/commit/895a8597cb16c02203e38707ed2d1da5c500fe60"}, {"name": "https://github.com/ethereum/go-ethereum/releases/tag/v1.16.9", "tags": ["x_refsource_MISC"], "url": "https://github.com/ethereum/go-ethereum/releases/tag/v1.16.9"}], "affected": [{"vendor": "ethereum", "product": "go-ethereum", "versions": [{"version": "< 1.16.9", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-19T21:15:11.752Z"}, "descriptions": [{"lang": "en", "value": "go-ethereum (geth) is a golang execution layer implementation of the Ethereum protocol. Prior to version 1.16.9, a vulnerable node can be forced to shutdown/crash using a specially crafted message. The problem is resolved in the v1.16.9 and v1.17.0 releases of Geth."}], "source": {"advisory": "GHSA-2gjw-fg97-vg3r", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-20T15:32:18.591679Z", "id": "CVE-2026-26314", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-20T15:42:28.197Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-26314", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-20T15:32:18.591679Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-20T15:32:20.431Z"}}], "cna": {"title": "Go Ethereum affected by DoS via malicious p2p message", "source": {"advisory": "GHSA-2gjw-fg97-vg3r", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "ethereum", "product": "go-ethereum", "versions": [{"status": "affected", "version": "< 1.16.9"}]}], "references": [{"url": "https://github.com/ethereum/go-ethereum/security/advisories/GHSA-2gjw-fg97-vg3r", "name": "https://github.com/ethereum/go-ethereum/security/advisories/GHSA-2gjw-fg97-vg3r", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/ethereum/go-ethereum/commit/895a8597cb16c02203e38707ed2d1da5c500fe60", "name": "https://github.com/ethereum/go-ethereum/commit/895a8597cb16c02203e38707ed2d1da5c500fe60", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/ethereum/go-ethereum/releases/tag/v1.16.9", "name": "https://github.com/ethereum/go-ethereum/releases/tag/v1.16.9", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "go-ethereum (geth) is a golang execution layer implementation of the Ethereum protocol. Prior to version 1.16.9, a vulnerable node can be forced to shutdown/crash using a specially crafted message. The problem is resolved in the v1.16.9 and v1.17.0 releases of Geth."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20: Improper Input Validation"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-19T21:15:11.752Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26314", "state": "PUBLISHED", "dateUpdated": "2026-02-20T15:42:28.197Z", "dateReserved": "2026-02-13T16:27:51.807Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-19T21:15:11.752Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ethereum:go_ethereum:*:*:*:*:*:*:*:*", "matchCriteriaId": "1923F28D-FCD9-4209-9C73-3502DE777CC3", "versionEndExcluding": "1.16.9", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "go-ethereum (geth) is a golang execution layer implementation of the Ethereum protocol. Prior to version 1.16.9, a vulnerable node can be forced to shutdown/crash using a specially crafted message. The problem is resolved in the v1.16.9 and v1.17.0 releases of Geth."}, {"lang": "es", "value": "go-ethereum (geth) es una implementaci\u00f3n de capa de ejecuci\u00f3n de golang del protocolo Ethereum. Antes de la versi\u00f3n 1.16.9, un nodo vulnerable puede ser forzado a apagarse/colapsar usando un mensaje especialmente dise\u00f1ado. El problema est\u00e1 resuelto en las versiones v1.16.9 y v1.17.0 de Geth."}], "id": "CVE-2026-26314", "lastModified": "2026-02-23T18:32:26.913", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-19T22:16:46.813", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/ethereum/go-ethereum/commit/895a8597cb16c02203e38707ed2d1da5c500fe60"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/ethereum/go-ethereum/releases/tag/v1.16.9"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/ethereum/go-ethereum/security/advisories/GHSA-2gjw-fg97-vg3r"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.16.9)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "go-ethereum", "source": "cna", "vendor": "ethereum"}, "product": "go_ethereum", "vendor": "ethereum"}], "analysis": {"en": {"generated_at": "2026-04-17T17:52:42.266257+00:00", "value": {"mitigation_remediation": ["Upgrade geth to version 1.16.9 or later (including 1.17.0 and any subsequent releases)", "Configure the node to accept connections only from trusted peers or restrict access via firewall rules", "Set up automated monitoring or watchdog functionality to detect a crash and restart the node promptly"], "summary": {"action": "Patch Now", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "Ethereum\u2019s Go implementation, geth, is affected in all releases prior to version 1.16.9 and 1.17.0. Users running any earlier version than 1.16.9, including patches before the 1.16.9 release, are susceptible.", "description_and_impact": "The vulnerability allows a specially crafted peer\u2011to\u2011peer message to cause the geth node to crash, resulting in a denial of service. It is a flaw in input validation (CWE\u201120) that leads to unexpected termination of the execution layer. An attacker cannot compromise confidentiality or integrity, but can render the affected node unavailable for as long as the crash persists.", "risk_and_exploitability": "This vulnerability has a CVSS score of 8.7, indicating high severity. The EPSS score is below 1%, suggesting a low probability of exploitation at present. It is not listed in CISA\u2019s KEV catalog. An attacker can exploit it by sending the crafted message through the standard peer\u2011to\u2011peer protocol; no local privileges or additional conditions are required beyond network reachability to the node."}}}}, "created": "2026-02-20T09:53:54.424861+00:00", "updated": "2026-04-17T18:00:12.178814+00:00", "vendors": ["ethereum", "ethereum$PRODUCT$go_ethereum"]}