CVE-2026-26314
Published: 19 February 2026
Summary
CVE-2026-26314 is a high-severity Improper Input Validation (CWE-20) vulnerability in Ethereum Go Ethereum. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 43.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-26314 is a denial-of-service vulnerability (CWE-20: Improper Input Validation) affecting go-ethereum (geth), a Golang implementation of the Ethereum protocol's execution layer. Versions prior to 1.16.9 are vulnerable, where a specially crafted message can force a node to shutdown or crash. The issue carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), highlighting its potential for high availability impact without requiring privileges or user interaction.
Any unauthenticated attacker with network access can exploit this vulnerability due to its low attack complexity. By sending a specially crafted message to a vulnerable geth node, the attacker can trigger an immediate shutdown or crash, denying service to the Ethereum node and potentially disrupting blockchain operations dependent on that node.
The vulnerability is fixed in go-ethereum releases v1.16.9 and v1.17.0. Mitigation involves updating to these versions, as detailed in the GitHub security advisory (GHSA-2gjw-fg97-vg3r), the patching commit (895a8597cb16c02203e38707ed2d1da5c500fe60), and the v1.16.9 release notes.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-8437
Vulnerability details
go-ethereum (geth) is a golang execution layer implementation of the Ethereum protocol. Prior to version 1.16.9, a vulnerable node can be forced to shutdown/crash using a specially crafted message. The problem is resolved in the v1.16.9 and v1.17.0 releases of…
more
Geth.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated crafted-message exploit against network-accessible geth node directly enables T1190 (public-facing app) to achieve T1499.004 (application/system exploitation for DoS/crash).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mandates timely flaw remediation through patching vulnerable go-ethereum versions to v1.16.9 or later, eliminating the crash from crafted messages.
Requires validation of all information inputs, including network messages to geth nodes, preventing crashes due to improper input validation (CWE-20).
Implements denial-of-service protections to safeguard against unauthenticated network attacks causing high availability impact via node shutdowns.