Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 835610 (CVE-2021-42219, CVE-2022-37450, CVE-2023-40591, CVE-2023-42319) - net-p2p/go-ethereum: multiple vulnerabilities
Summary: net-p2p/go-ethereum: multiple vulnerabilities
Alias: CVE-2021-42219, CVE-2022-37450, CVE-2023-40591, CVE-2023-42319
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
Whiteboard: ~3 [??]
Depends on:
Reported: 2022-03-19 04:46 UTC by John Helmert III
Modified: 2023-11-24 21:40 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-03-19 04:46:06 UTC

Go-Ethereum v1.10.9 was discovered to contain an issue which allows attackers to cause a denial of service (DoS) via sending an excessive amount of messages to a node. This is caused by missing memory in the component /ethash/algorithm.go.

Yeah, the only reference is a Google Doc. I don't know what to make of this, but filing anyway so it doesn't get lost. CVE and "advisory" mention 1.10.9 and we currently have 1.10.14 in tree.
Comment 1 Larry the Git Cow gentoo-dev 2022-05-15 02:54:22 UTC
The bug has been referenced in the following commit(s):

commit 95934a6cad470274b7797c1abceabfd66f3dfbf9
Author:     Sam James <>
AuthorDate: 2022-05-15 02:46:00 +0000
Commit:     Sam James <>
CommitDate: 2022-05-15 02:46:00 +0000

    net-p2p/go-ethereum: add 1.10.17
    Signed-off-by: Sam James <>

 net-p2p/go-ethereum/Manifest                   |  2 ++
 net-p2p/go-ethereum/go-ethereum-1.10.17.ebuild | 44 ++++++++++++++++++++++++++
 2 files changed, 46 insertions(+)
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-05-15 02:56:23 UTC
Still couldn't find any more info...
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-08 16:16:43 UTC
CVE-2022-37450 (

Go Ethereum (aka geth) through 1.10.21 allows attackers to increase rewards by mining blocks in certain situations, and using a manipulation of time-difference values to achieve replacement of main-chain blocks, aka Riskless Uncle Making (RUM), as exploited in the wild in 2020 through 2022.

Unsure if a fixed version exists.
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-11-24 21:40:31 UTC
CVE-2023-42319 (

Geth (aka go-ethereum) through 1.13.4, when --http --graphql is used, allows remote attackers to cause a denial of service (memory consumption and daemon hang) via a crafted GraphQL query. NOTE: the vendor's position is that the "graphql endpoint [is not] designed to withstand attacks by hostile clients, nor handle huge amounts of clients/traffic.
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-11-24 21:40:52 UTC
CVE-2023-40591 (

go-ethereum (geth) is a golang execution layer implementation of the Ethereum protocol. A vulnerable node, can be made to consume unbounded amounts of memory when handling specially crafted p2p messages sent from an attacker node. The fix is included in geth version `1.12.1-stable`, i.e, `1.12.2-unstable` and onwards. Users are advised to upgrade. There are no known workarounds for this vulnerability.