CVE-2026-26315 Go Ethereum Improperly Validates the ECIES Public Key in RLPx Handshake

go-ethereum Geth is a golang execution layer implementation of the Ethereum protocol. Prior to version 1.16.9, through a flaw in the ECIES cryptography implementation, an attacker may be able to extract bits of the p2p node key. The issue is resolved in the v1.16.9 and v1.17.0 releases of Geth...

CVE-2026-26315

Go Ethereum (Geth) before v1.16.9 is affected by a flaw in the ECIES cryptography implementation that can allow an attacker to extract bits of the p2p node key. The issue is fixed in v1.16.9 and v1.17.0. After upgrading, rotate the node key by removing the file /geth/nodekey before restarting Get...

Information Exposure

Overview Affected versions of this package are vulnerable to Information Exposure in the GenerateShared function in ecies.go. An attacker can extract bits of the p2p node key during an RLPx handshake by sending a series of malicious ephemeral public keys and inferring the validity of bits based o...

GHSA-M6J8-RG6R-7MV8 Go Ethereum Improperly Validates the ECIES Public Key in RLPx Handshake

Impact Through a flaw in the ECIES cryptography implementation, an attacker may be able to extract bits of the p2p node key. Patches The issue is resolved in the v1.16.9 and v1.17.0 releases of Geth. We recommend rotating the node key after applying the upgrade, which can be done by removing the...