Description
go-ethereum (Geth) is a golang execution layer implementation of the Ethereum protocol. Prior to version 1.16.9, through a flaw in the ECIES cryptography implementation, an attacker may be able to extract bits of the p2p node key. The issue is resolved in the v1.16.9 and v1.17.0 releases of Geth. Geth maintainers recommend rotating the node key after applying the upgrade, which can be done by removing the file `<datadir>/geth/nodekey` before starting Geth.
References (1)
Core 1
Core References
Vendor Advisory x_refsource_confirm
https://github.com/ethereum/go-ethereum/security/advisories/GHSA-m6j8-rg6r-7mv8
Scores
CVSS v3
7.5
EPSS
0.0045
EPSS Percentile
35.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-203
Status
published
Products (2)
ethereum/go-ethereum
0 - 1.16.9Go
ethereum/go_ethereum
< 1.16.9
Published
Feb 19, 2026
Tracked Since
Feb 20, 2026