CVE-2018-18920

HIGH

Py-EVM v0.2.0-alpha.33 - Denial of Service via Invalid Opcode in Bytecode Execution

Title source: llm
STIX 2.1

Description

Py-EVM v0.2.0-alpha.33 allows attackers to make a vm.execute_bytecode call that triggers computation._stack.values with '"stack": [100, 100, 0]' where b'\x' was expected, resulting in an execution failure because of an invalid opcode. This is reportedly related to "smart contracts can be executed indefinitely without gas being paid."

References (4)

Core 4
Core References
Exploit, Third Party Advisory x_refsource_misc
https://github.com/ethereum/py-evm/issues/1448
Third Party Advisory x_refsource_misc
https://twitter.com/NettaLab/status/1060889400102383617

Scores

CVSS v3 8.8
EPSS 0.0290
EPSS Percentile 85.2%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE
CWE-119
Status published
Products (2)
ethereum/py-evm 0.2.0 alpha.33
pypi/py-evm 0 - 0.2.0a33PyPI
Published Nov 12, 2018
Tracked Since Feb 18, 2026