CVE-2026-22862

Geth Crash Course: CVE-2026-22862

Alon Barad
Alon Barad
Software Engineer

Jan 13, 2026·6 min read·1 visit

Executive Summary (TL;DR)

If you run Geth < 1.16.8, a malicious peer can kill your node instantly with a tiny, malformed encrypted packet. Alternatively, they can flood you with bad math (invalid KZG proofs) to melt your CPU. Update now or enjoy the silence.

A critical Denial of Service vulnerability in go-ethereum (Geth) allows connected peers to crash the node via malformed ECIES messages or exhaust CPU resources through invalid KZG proofs.

Official Patches

EthereumOfficial Release v1.16.8

Fix Analysis (1)

Technical Appendix

CVSS Score
7.1/ 10
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
5,000
via EtherNodes

Affected Systems

go-ethereum (geth) < 1.16.8

Affected Versions Detail

Product
Affected Versions
Fixed Version
go-ethereum
Ethereum
< 1.16.81.16.8
AttributeDetail
CWE IDCWE-20 (Improper Input Validation)
CVSS Score7.1 (High)
Attack VectorNetwork (P2P)
ImpactDenial of Service (Crash or Resource Exhaustion)
Exploit StatusPoC Available
LanguageGo (Golang)

MITRE ATT&CK Mapping

T1499Endpoint Denial of Service
Impact
T1498Network Denial of Service
Impact
CWE-20
Improper Input Validation

Improper Input Validation

Known Exploits & Detection

TheoreticalSending a P2P message with ECIES ciphertext length < AES block size triggers runtime panic.

Vulnerability Timeline

Patch committed to master
2026-01-09
CVE Published / Release v1.16.8
2026-01-13

Subscribe to updates

Get the latest CVE analysis reports delivered to your inbox.