Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 835610 (CVE-2021-42219, CVE-2022-37450) - net-p2p/go-ethereum: DoS via message flood
Summary: net-p2p/go-ethereum: DoS via message flood
Alias: CVE-2021-42219, CVE-2022-37450
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
Whiteboard: ~3 [??]
Depends on:
Reported: 2022-03-19 04:46 UTC by John Helmert III
Modified: 2022-08-08 16:16 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-03-19 04:46:06 UTC

Go-Ethereum v1.10.9 was discovered to contain an issue which allows attackers to cause a denial of service (DoS) via sending an excessive amount of messages to a node. This is caused by missing memory in the component /ethash/algorithm.go.

Yeah, the only reference is a Google Doc. I don't know what to make of this, but filing anyway so it doesn't get lost. CVE and "advisory" mention 1.10.9 and we currently have 1.10.14 in tree.
Comment 1 Larry the Git Cow gentoo-dev 2022-05-15 02:54:22 UTC
The bug has been referenced in the following commit(s):

commit 95934a6cad470274b7797c1abceabfd66f3dfbf9
Author:     Sam James <>
AuthorDate: 2022-05-15 02:46:00 +0000
Commit:     Sam James <>
CommitDate: 2022-05-15 02:46:00 +0000

    net-p2p/go-ethereum: add 1.10.17
    Signed-off-by: Sam James <>

 net-p2p/go-ethereum/Manifest                   |  2 ++
 net-p2p/go-ethereum/go-ethereum-1.10.17.ebuild | 44 ++++++++++++++++++++++++++
 2 files changed, 46 insertions(+)
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-05-15 02:56:23 UTC
Still couldn't find any more info...
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-08 16:16:43 UTC
CVE-2022-37450 (

Go Ethereum (aka geth) through 1.10.21 allows attackers to increase rewards by mining blocks in certain situations, and using a manipulation of time-difference values to achieve replacement of main-chain blocks, aka Riskless Uncle Making (RUM), as exploited in the wild in 2020 through 2022.

Unsure if a fixed version exists.