CVE-2026-22862
Published: 13 January 2026
Summary
CVE-2026-22862 is a high-severity Improper Input Validation (CWE-20) vulnerability in Ethereum Go Ethereum. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 13.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Security testing and developer training directly verify and enforce proper input validation, reducing exploitability of injection and malformed-data weaknesses.
Security testing and evaluation at multiple SDLC stages directly detects missing or flawed input validation, with the required remediation process ensuring fixes are applied.
Directly implements checks on information inputs to reject invalid data before processing.
Spam protection mechanisms perform filtering and detection on inbound/outbound messages, directly compensating for missing or weak input validation of unsolicited content.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
DoS via crafted network message exploiting input validation flaw directly enables Endpoint DoS through application exploitation (T1499.004).
NVD Description
go-ethereum (geth) is a golang execution layer implementation of the Ethereum protocol. A vulnerable node can be forced to shutdown/crash using a specially crafted message. This vulnerability is fixed in 1.16.8.
Deeper analysisAI
CVE-2026-22862 is a denial-of-service vulnerability in go-ethereum (geth), a Golang implementation of the Ethereum protocol's execution layer. Published on 2026-01-13, it allows a vulnerable node to be forced into shutdown or crash through a specially crafted message. The issue stems from improper input validation (CWE-20) and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high-impact availability disruption with no confidentiality or integrity effects.
Any unauthenticated attacker with network access to a vulnerable geth node can exploit this vulnerability by sending the specially crafted message, requiring low complexity and no user interaction. Successful exploitation results in a complete denial of service, crashing the Ethereum node and potentially disrupting blockchain operations dependent on that instance.
The vulnerability is addressed in go-ethereum version 1.16.8. The fixing commit is documented at https://github.com/ethereum/go-ethereum/commit/abeb78c647e354ed922726a1d719ac7bc64a07e2, and the GitHub security advisory provides additional details at https://github.com/ethereum/go-ethereum/security/advisories/GHSA-mr7q-c9w9-wh4h. Operators should upgrade to the patched release to mitigate the risk.
Details
- CWE(s)