Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.
6.9

Go Ethereum Fails to Properly Verify Node Key

CVE-2026-26315 GHSA-m6j8-rg6r-7mv8
Summary

Go Ethereum, a popular Ethereum client, has a flaw in its cryptography that could allow an attacker to access a sensitive key. This could lead to unauthorized access to your node and potentially allow an attacker to disrupt your operations. To fix this, update to version 1.16.9 or later and immediately rotate your node key by deleting the nodekey file in your Ethereum data directory.

What to do
  • Update github.com ethereum to version 1.16.9.
Affected software
VendorProductAffected versionsFix available
github.com ethereum <= 1.16.8 1.16.9
ethereum go_ethereum <= 1.16.9 –
Original title
Go Ethereum Improperly Validates the ECIES Public Key in RLPx Handshake
Original description
### Impact

Through a flaw in the ECIES cryptography implementation, an attacker may be able to extract bits of the p2p node key.

### Patches

The issue is resolved in the v1.16.9 and v1.17.0 releases of Geth. We recommend rotating the node key after applying the upgrade, which can be done by removing the file `<datadir>/geth/nodekey` before starting Geth.

### Credit

The issue was reported as a public pull request to go-ethereum by @fengjian.
nvd CVSS3.1 7.5
nvd CVSS4.0 6.9
Vulnerability type
CWE-203
Published: 18 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026