5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0.001 Low
EPSS
Percentile
32.1%
A vulnerability in the Geth EVM could cause a node to reject the canonical chain.
A memory-corruption bug within the EVM can cause a consensus error, where vulnerable nodes obtain a different stateRoot
when processing a maliciously crafted transaction. This, in turn, would lead to the chain being split in two forks.
All Geth versions supporting the London hard fork are vulnerable (which predates London), so all users should update.
This bug was exploited on Mainnet at block 13107518, leading to a minority chain split.
A patch is included in the v1.10.8
release.
The exact patch to fix the issue is contained within this commit
No workarounds exist, save to update and/or apply the patch commit.
Post-mortem write-up.
The bug was found by @guidovranken (working for Sentnl during an audit of the Telos EVM) and reported via [email protected].
If you have any questions or comments about this advisory:
CPE | Name | Operator | Version |
---|---|---|---|
github.com/ethereum/go-ethereum | lt | 1.10.8 |
github.com/advisories/GHSA-9856-9gg9-qcmq
github.com/ethereum/go-ethereum/pull/23381/commits/4d4879cafd1b3c906fc184a8c4a357137465128f
github.com/ethereum/go-ethereum/releases/tag/v1.10.8
github.com/ethereum/go-ethereum/security/advisories/GHSA-9856-9gg9-qcmq
nvd.nist.gov/vuln/detail/CVE-2021-39137
pkg.go.dev/vuln/GO-2022-0254
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0.001 Low
EPSS
Percentile
32.1%