Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.7
Go Ethereum can be crashed by malicious peer-to-peer message
CVE-2026-26314
GHSA-2gjw-fg97-vg3r
Summary
A malicious message sent to a Go Ethereum node can cause it to shut down. This could allow an attacker to disrupt the node's operation. To fix this issue, update to Go Ethereum version 1.16.9 or 1.17.0.
What to do
- Update github.com ethereum to version 1.16.9.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| github.com | ethereum | <= 1.16.8 | 1.16.9 |
| ethereum | go_ethereum | <= 1.16.9 | – |
Original title
Go Ethereum affected by DoS via malicious p2p message
Original description
### Impact
A vulnerable node can be forced to shutdown/crash using a specially crafted message.
More details to be released later.
### Patches
The problem is resolved in the v1.16.9 and v1.17.0 releases of Geth.
### Credit
This issue was reported to the Ethereum Foundation Bug Bounty Program by Waleed Ahmed from vulsight.com
A vulnerable node can be forced to shutdown/crash using a specially crafted message.
More details to be released later.
### Patches
The problem is resolved in the v1.16.9 and v1.17.0 releases of Geth.
### Credit
This issue was reported to the Ethereum Foundation Bug Bounty Program by Waleed Ahmed from vulsight.com
nvd CVSS3.1
7.5
nvd CVSS4.0
8.7
Vulnerability type
CWE-20
Improper Input Validation
- https://nvd.nist.gov/vuln/detail/CVE-2026-26314
- https://pkg.go.dev/vuln/GO-2026-4507
- https://github.com/advisories/GHSA-2gjw-fg97-vg3r
- https://github.com/ethereum/go-ethereum/commit/895a8597cb16c02203e38707ed2d1da5c... Patch
- https://github.com/ethereum/go-ethereum/releases/tag/v1.16.9 Release Notes
- https://github.com/ethereum/go-ethereum/security/advisories/GHSA-2gjw-fg97-vg3r Vendor Advisory
Published: 18 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026