CVE-2020-26264
MEDIUMGo Ethereum < 1.9.25 - Denial of Service via Malicious GetProofsV2 Request
Title source: llmDescription
Go Ethereum, or "Geth", is the official Golang implementation of the Ethereum protocol. In Geth before version 1.9.25 a denial-of-service vulnerability can make a LES server crash via malicious GetProofsV2 request from a connected LES client. This vulnerability only concerns users explicitly enabling les server; disabling les prevents the exploit. The vulnerability was patched in version 1.9.25.
References (4)
Core 4
Core References
Third Party Advisory x_refsource_confirm
https://github.com/ethereum/go-ethereum/security/advisories/GHSA-r33q-22hv-j29q
Patch, Third Party Advisory x_refsource_misc
https://github.com/ethereum/go-ethereum/pull/21896
Patch, Third Party Advisory x_refsource_misc
https://github.com/ethereum/go-ethereum/commit/bddd103a9f0af27ef533f04e06ea429cf76b6d46
Third Party Advisory x_refsource_misc
https://github.com/ethereum/go-ethereum/releases/tag/v1.9.25
Scores
CVSS v3
6.5
EPSS
0.0186
EPSS Percentile
76.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Details
CWE
CWE-400
Status
published
Products (2)
ethereum/go-ethereum
0 - 1.9.25Go
ethereum/go_ethereum
< 1.9.25
Published
Dec 11, 2020
Tracked Since
Feb 18, 2026