Go Ethereum
CVE-2022-23328
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
1DescriptionNVD
A design flaw in all versions of Go-Ethereum allows an attacker node to send 5120 pending transactions of a high gas price from one account that all fully spend the full balance of the account to a victim Geth node, which can purge all of pending transactions in a victim node's memory pool and then occupy the memory pool to prevent new transactions from entering the pool, resulting in a denial of service (DoS).
AnalysisAI
A design flaw in all versions of Go-Ethereum allows an attacker node to send 5120 pending transactions of a high gas price from one account that all fully spend the full balance of the account to a. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Technical ContextAI
This vulnerability is classified as Uncontrolled Resource Consumption (CWE-400), which allows attackers to cause denial of service by exhausting system resources. A design flaw in all versions of Go-Ethereum allows an attacker node to send 5120 pending transactions of a high gas price from one account that all fully spend the full balance of the account to a victim Geth node, which can purge all of pending transactions in a victim node's memory pool and then occupy the memory pool to prevent new transactions from entering the pool, resulting in a denial of service (DoS). Affected products include: Ethereum Go Ethereum.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Implement rate limiting, set resource quotas, validate input sizes, use timeouts.
More in Go Ethereum
View allA design flaw in Go-Ethereum 1.10.12 and older versions allows an attacker node to send 5120 future transactions with a
Geth (aka go-ethereum) through 1.13.4, when --http --graphql is used, allows remote attackers to cause a denial of servi
Go Ethereum (aka geth) 1.8.19 allows attackers to cause a denial of service (memory consumption) by rewriting the length
cmd/evm/runner.go in Go Ethereum (aka geth) 1.8.17 allows attackers to cause a denial of service (SEGV) via crafted byte
The GetBlockHeadersMsg handler in the LES protocol implementation in Go Ethereum (aka geth) before 1.8.11 may lead to an
Go Ethereum (aka geth) through 1.10.21 allows attackers to increase rewards by mining blocks in certain situations, and
Geth versions prior to 1.16.9 can be remotely crashed by sending a specially crafted message over the network, allowing
Go Ethereum (geth) nodes can be remotely crashed through maliciously crafted network messages, causing denial of service
Go Ethereum nodes can be remotely crashed by unauthenticated attackers sending specially crafted network messages, resul
Go Ethereum versions up to 1.17.0 is affected by allocation of resources without limits or throttling (CVSS 7.5).
Go Ethereum (Geth) versions prior to 1.16.9 contain a cryptographic implementation flaw in ECIES that allows remote atta
go-ethereum (geth) is a golang execution layer implementation of the Ethereum protocol. Rated high severity (CVSS 7.5),
Same weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today