Vulnerability Description
Go Ethereum, or "Geth", is the official Golang implementation of the Ethereum protocol. In Geth before version 1.9.25 a denial-of-service vulnerability can make a LES server crash via malicious GetProofsV2 request from a connected LES client. This vulnerability only concerns users explicitly enabling les server; disabling les prevents the exploit. The vulnerability was patched in version 1.9.25.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ethereum | Go Ethereum | < 1.9.25 |
Related Weaknesses (CWE)
References
- https://github.com/ethereum/go-ethereum/commit/bddd103a9f0af27ef533f04e06ea429cfPatchThird Party Advisory
- https://github.com/ethereum/go-ethereum/pull/21896PatchThird Party Advisory
- https://github.com/ethereum/go-ethereum/releases/tag/v1.9.25Third Party Advisory
- https://github.com/ethereum/go-ethereum/security/advisories/GHSA-r33q-22hv-j29qThird Party Advisory
- https://github.com/ethereum/go-ethereum/commit/bddd103a9f0af27ef533f04e06ea429cfPatchThird Party Advisory
- https://github.com/ethereum/go-ethereum/pull/21896PatchThird Party Advisory
- https://github.com/ethereum/go-ethereum/releases/tag/v1.9.25Third Party Advisory
- https://github.com/ethereum/go-ethereum/security/advisories/GHSA-r33q-22hv-j29qThird Party Advisory
FAQ
What is CVE-2020-26264?
CVE-2020-26264 is a vulnerability with a CVSS score of 6.5 (MEDIUM). Go Ethereum, or "Geth", is the official Golang implementation of the Ethereum protocol. In Geth before version 1.9.25 a denial-of-service vulnerability can make a LES server crash via malicious GetPro...
How severe is CVE-2020-26264?
CVE-2020-26264 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-26264?
Check the references section above for vendor advisories and patch information. Affected products include: Ethereum Go Ethereum.