5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0.001 Low
EPSS
Percentile
45.8%
Denial-of-service (crash) during block processing
Affected versions suffer from a vulnerability which can be exploited through the MULMOD
operation, by specifying a modulo of 0
: mulmod(a,b,0)
, causing a panic
in the underlying library.
The crash was in the uint256
library, where a buffer underflowed.
if `d == 0`, `dLen` remains `0`
and https://github.com/holiman/uint256/blob/4ce82e695c10ddad57215bdbeafb68b8c5df2c30/uint256.go#L451 will try to access index [-1]
.
The uint256
library was first merged in this commit, on 2020-06-08.
Exploiting this vulnerabilty would cause all vulnerable nodes to drop off the network.
The issue was brought to our attention through a bug report, showing a panic
occurring on sync from genesis on the Ropsten network.
It was estimated that the least obvious way to fix this would be to merge the fix into uint256
, make a new release of that library and then update the geth-dependency.
Upgrade to v1.9.18 or higher
If you have any questions or comments about this advisory:
CPE | Name | Operator | Version |
---|---|---|---|
github.com/holiman/uint256 | ge | 0.1.0 | |
github.com/holiman/uint256 | lt | 1.1.1 | |
github.com/ethereum/go-ethereum | lt | 1.9.18 |
blog.ethereum.org/2020/11/12/geth_security_release/
github.com/advisories/GHSA-jm5c-rv3w-w83m
github.com/ethereum/go-ethereum/commit/7163a6664ee664df81b9028ab3ba13b9d65a7196
github.com/ethereum/go-ethereum/security/advisories/GHSA-jm5c-rv3w-w83m
github.com/holiman/uint256/commit/6785da6e3eea403260a5760029e722aa4ff1716d
github.com/holiman/uint256/pull/80
nvd.nist.gov/vuln/detail/CVE-2020-26242
pkg.go.dev/vuln/GO-2021-0103
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0.001 Low
EPSS
Percentile
45.8%