CVE-2026-26315

HIGH

go-ethereum <1.16.9 - Info Disclosure

Title source: llm

Description

go-ethereum (Geth) is a golang execution layer implementation of the Ethereum protocol. Prior to version 1.16.9, through a flaw in the ECIES cryptography implementation, an attacker may be able to extract bits of the p2p node key. The issue is resolved in the v1.16.9 and v1.17.0 releases of Geth. Geth maintainers recommend rotating the node key after applying the upgrade, which can be done by removing the file `<datadir>/geth/nodekey` before starting Geth.

References (1)

[Vendor Advisory] https://github.com/ethereum/go-ethereum/security/advisories/GHSA-m6j8-rg6r-7mv8

Scores

CVSS v3 7.5

EPSS 0.0003

EPSS Percentile 8.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-203

Status published

Products (2)

ethereum/go-ethereum 0 - 1.16.9Go

ethereum/go_ethereum < 1.16.9

Published Feb 19, 2026

Tracked Since Feb 20, 2026