Cyber Resilience

CVE-2026-26314

High

Published: 19 February 2026

Published
19 February 2026
Modified
23 February 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0058 43.2th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-26314 is a high-severity Improper Input Validation (CWE-20) vulnerability in Ethereum Go Ethereum. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 43.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-26314 is a denial-of-service vulnerability (CWE-20: Improper Input Validation) affecting go-ethereum (geth), a Golang implementation of the Ethereum protocol's execution layer. Versions prior to 1.16.9 are vulnerable, where a specially crafted message can force a node to shutdown or crash. The issue carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), highlighting its potential for high availability impact without requiring privileges or user interaction.

Any unauthenticated attacker with network access can exploit this vulnerability due to its low attack complexity. By sending a specially crafted message to a vulnerable geth node, the attacker can trigger an immediate shutdown or crash, denying service to the Ethereum node and potentially disrupting blockchain operations dependent on that node.

The vulnerability is fixed in go-ethereum releases v1.16.9 and v1.17.0. Mitigation involves updating to these versions, as detailed in the GitHub security advisory (GHSA-2gjw-fg97-vg3r), the patching commit (895a8597cb16c02203e38707ed2d1da5c500fe60), and the v1.16.9 release notes.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

go-ethereum (geth) is a golang execution layer implementation of the Ethereum protocol. Prior to version 1.16.9, a vulnerable node can be forced to shutdown/crash using a specially crafted message. The problem is resolved in the v1.16.9 and v1.17.0 releases of…

more

Geth.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Remote unauthenticated crafted-message exploit against network-accessible geth node directly enables T1190 (public-facing app) to achieve T1499.004 (application/system exploitation for DoS/crash).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-22862Same product: Ethereum Go Ethereum
CVE-2026-22868Same product: Ethereum Go Ethereum
CVE-2026-26313Same product: Ethereum Go Ethereum
CVE-2026-26315Same product: Ethereum Go Ethereum
CVE-2026-21864Shared CWE-20
CVE-2025-20142Shared CWE-20
CVE-2025-59895Shared CWE-20
CVE-2025-69232Shared CWE-20
CVE-2025-71003Shared CWE-20
CVE-2025-66786Shared CWE-20

Affected Assets

ethereum
go ethereum
≤ 1.16.9

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates timely flaw remediation through patching vulnerable go-ethereum versions to v1.16.9 or later, eliminating the crash from crafted messages.

prevent

Requires validation of all information inputs, including network messages to geth nodes, preventing crashes due to improper input validation (CWE-20).

prevent

Implements denial-of-service protections to safeguard against unauthenticated network attacks causing high availability impact via node shutdowns.

References