Cyber Resilience

CVE-2026-22868

High

Published: 13 January 2026

Published
13 January 2026
Modified
29 January 2026
KEV Added
Patch
CVSS Score v4 7.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0003 10.9th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-22868 is a high-severity Improper Input Validation (CWE-20) vulnerability in Ethereum Go Ethereum. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 10.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-22868 affects go-ethereum (geth), a Golang implementation of the Ethereum protocol's execution layer. The vulnerability enables a specially crafted message to force a vulnerable node to shut down or crash, stemming from improper input validation (CWE-20). It carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), highlighting high-impact availability disruption with no confidentiality or integrity effects.

Any network-accessible attacker can exploit this without privileges, user interaction, or elevated complexity by sending the malicious message to a vulnerable geth node, resulting in denial-of-service through node shutdown or crash.

The vulnerability is fixed in go-ethereum version 1.16.8. For mitigation details, refer to the patching commit at https://github.com/ethereum/go-ethereum/commit/abeb78c647e354ed922726a1d719ac7bc64a07e2 and the security advisory at https://github.com/ethereum/go-ethereum/security/advisories/GHSA-mq3p-rrmp-79jg.

EU & UK References

Vulnerability details

go-ethereum (geth) is a golang execution layer implementation of the Ethereum protocol. A vulnerable node can be forced to shutdown/crash using a specially crafted message. This vulnerability is fixed in 1.16.8.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Remote crafted message exploits improper input validation in public-facing geth node, directly enabling application-layer DoS via exploitation (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-22862Same product: Ethereum Go Ethereum
CVE-2026-26314Same product: Ethereum Go Ethereum
CVE-2026-26313Same product: Ethereum Go Ethereum
CVE-2026-26315Same product: Ethereum Go Ethereum
CVE-2025-70123Shared CWE-20
CVE-2025-61616Shared CWE-20
CVE-2026-22565Shared CWE-20
CVE-2026-22699Shared CWE-20
CVE-2026-33218Shared CWE-20
CVE-2025-59032Shared CWE-20

Affected Assets

ethereum
go ethereum
≤ 1.16.8

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the software flaw in go-ethereum by requiring timely patching to version 1.16.8, eliminating the vulnerability.

prevent

Enforces validation of network message inputs to block specially crafted messages that cause node crashes due to improper input handling.

prevent

Implements protections against denial-of-service attacks, specifically addressing the high-impact availability disruption from remote node shutdowns.

References