Cyber Resilience

CVE-2026-22862

High

Published: 13 January 2026

Published
13 January 2026
Modified
29 January 2026
KEV Added
Patch
CVSS Score v4 7.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0004 11.8th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-22862 is a high-severity Improper Input Validation (CWE-20) vulnerability in Ethereum Go Ethereum. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 11.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-22862 is a denial-of-service vulnerability in go-ethereum (geth), a Golang implementation of the Ethereum protocol's execution layer. Published on 2026-01-13, it allows a vulnerable node to be forced into shutdown or crash through a specially crafted message. The issue stems from improper input validation (CWE-20) and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high-impact availability disruption with no confidentiality or integrity effects.

Any unauthenticated attacker with network access to a vulnerable geth node can exploit this vulnerability by sending the specially crafted message, requiring low complexity and no user interaction. Successful exploitation results in a complete denial of service, crashing the Ethereum node and potentially disrupting blockchain operations dependent on that instance.

The vulnerability is addressed in go-ethereum version 1.16.8. The fixing commit is documented at https://github.com/ethereum/go-ethereum/commit/abeb78c647e354ed922726a1d719ac7bc64a07e2, and the GitHub security advisory provides additional details at https://github.com/ethereum/go-ethereum/security/advisories/GHSA-mr7q-c9w9-wh4h. Operators should upgrade to the patched release to mitigate the risk.

EU & UK References

Vulnerability details

go-ethereum (geth) is a golang execution layer implementation of the Ethereum protocol. A vulnerable node can be forced to shutdown/crash using a specially crafted message. This vulnerability is fixed in 1.16.8.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

DoS via crafted network message exploiting input validation flaw directly enables Endpoint DoS through application exploitation (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-22868Same product: Ethereum Go Ethereum
CVE-2026-26314Same product: Ethereum Go Ethereum
CVE-2026-26313Same product: Ethereum Go Ethereum
CVE-2026-26315Same product: Ethereum Go Ethereum
CVE-2025-70123Shared CWE-20
CVE-2025-61616Shared CWE-20
CVE-2026-22565Shared CWE-20
CVE-2026-22699Shared CWE-20
CVE-2026-33218Shared CWE-20
CVE-2025-59032Shared CWE-20

Affected Assets

ethereum
go ethereum
≤ 1.16.8

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Mandates timely identification, reporting, and correction of flaws, directly requiring upgrade of go-ethereum to version 1.16.8 to remediate the crash-inducing vulnerability.

prevent

Requires validation of all information inputs, preventing specially crafted messages from causing denial-of-service crashes due to improper input handling in geth.

prevent

Protects against denial-of-service events like the network-accessible crash exploitation in vulnerable go-ethereum nodes.

References