CVE-2026-26313
Published: 19 February 2026
Summary
CVE-2026-26313 is a medium-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Ethereum Go Ethereum. Its CVSS base score is 6.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 10.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).
Deeper analysis
CVE-2026-26313 is a denial-of-service vulnerability in go-ethereum (geth), a Golang implementation of the Ethereum protocol's execution layer. Versions prior to 1.17.0 are affected, where an attacker can trigger high memory usage by sending a specially-crafted peer-to-peer (P2P) message. The flaw stems from CWE-770 (Allocation of Resources Without Limits or Throttling) and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high availability impact through resource exhaustion.
Any unauthenticated attacker with network access can exploit this vulnerability due to its low attack complexity and lack of required privileges or user interaction. By transmitting the malicious P2P message to a vulnerable geth node, the attacker causes excessive memory allocation, potentially leading to node instability, crashes, or complete denial of service for Ethereum network participants relying on the affected instance.
The vulnerability is fully resolved in go-ethereum version 1.17.0. Administrators should upgrade to this release or later to mitigate the issue. Additional details are available in the official release notes at https://github.com/ethereum/go-ethereum/releases/tag/v1.17.0 and the GitHub security advisory at https://github.com/ethereum/go-ethereum/security/advisories/GHSA-689v-6xwf-5jf3.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-8397
Vulnerability details
go-ethereum (geth) is a golang execution layer implementation of the Ethereum protocol. Prior to version 1.17.0, an attacker can cause high memory usage by sending a specially-crafted p2p message. The issue is resolved in the v1.17.0 release.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Crafted P2P message triggers unbounded memory allocation (CWE-770) leading to application crash/DoS, directly matching application exploitation for endpoint denial of service.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-2 requires timely flaw remediation, directly addressing this CVE by patching go-ethereum to version 1.17.0 which resolves the unbounded memory allocation from crafted P2P messages.
SC-5 mandates denial-of-service protections such as rate limiting and traffic filtering to prevent resource exhaustion attacks via specially-crafted P2P messages.
SC-6 ensures resource availability by implementing controls to protect against degradation or denial, mitigating high memory usage triggered by malicious P2P inputs.