CVE-2026-26314

High

Published: 19 February 2026

Published

19 February 2026

Modified

23 February 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0006 18.0th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-26314 is a high-severity Improper Input Validation (CWE-20) vulnerability in Ethereum Go Ethereum. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique.

Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

PM-14 Testing, Training, and Monitoring

addresses: CWE-20

Security testing and developer training directly verify and enforce proper input validation, reducing exploitability of injection and malformed-data weaknesses.

SA-11 Developer Testing and Evaluation

addresses: CWE-20

Security testing and evaluation at multiple SDLC stages directly detects missing or flawed input validation, with the required remediation process ensuring fixes are applied.

SI-10 Information Input Validation

addresses: CWE-20

Directly implements checks on information inputs to reject invalid data before processing.

SI-8 Spam Protection

addresses: CWE-20

Spam protection mechanisms perform filtering and detection on inbound/outbound messages, directly compensating for missing or weak input validation of unsolicited content.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

Remote unauthenticated crafted-message exploit against network-accessible geth node directly enables T1190 (public-facing app) to achieve T1499.004 (application/system exploitation for DoS/crash).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

go-ethereum (geth) is a golang execution layer implementation of the Ethereum protocol. Prior to version 1.16.9, a vulnerable node can be forced to shutdown/crash using a specially crafted message. The problem is resolved in the v1.16.9 and v1.17.0 releases of…

Geth.

Deeper analysisAI

CVE-2026-26314 is a denial-of-service vulnerability (CWE-20: Improper Input Validation) affecting go-ethereum (geth), a Golang implementation of the Ethereum protocol's execution layer. Versions prior to 1.16.9 are vulnerable, where a specially crafted message can force a node to shutdown or crash. The issue carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), highlighting its potential for high availability impact without requiring privileges or user interaction.

Any unauthenticated attacker with network access can exploit this vulnerability due to its low attack complexity. By sending a specially crafted message to a vulnerable geth node, the attacker can trigger an immediate shutdown or crash, denying service to the Ethereum node and potentially disrupting blockchain operations dependent on that node.

The vulnerability is fixed in go-ethereum releases v1.16.9 and v1.17.0. Mitigation involves updating to these versions, as detailed in the GitHub security advisory (GHSA-2gjw-fg97-vg3r), the patching commit (895a8597cb16c02203e38707ed2d1da5c500fe60), and the v1.16.9 release notes.