Geth's Crypto-Kryptonite: DoS via KZG & ECIES Exhaustion
Jan 13, 2026·8 min read·9 visits
Executive Summary (TL;DR)
Geth nodes < 1.16.8 are vulnerable to CPU exhaustion. Attackers can spam invalid 'Blob' transactions or malformed P2P handshake packets. The node politely verifies every single piece of garbage data instead of disconnecting the peer, leading to 100% CPU usage and effective denial of service. Update to v1.16.8 immediately.
A high-severity Denial of Service (DoS) vulnerability in Go-ethereum (Geth) allows malicious peers to crash or stall nodes via resource exhaustion. The issue stems from two distinct flaws: failure to fail-fast on invalid KZG proofs (introduced in EIP-4844) and an insufficient length check in ECIES encryption handshakes, causing the CPU to waste cycles on computationally expensive cryptographic verifications for invalid data.
Official Patches
Fix Analysis (1)
Technical Appendix
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:NAffected Systems
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
go-ethereum ethereum | < 1.16.8 | 1.16.8 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-20 |
| Attack Vector | Network (P2P) |
| CVSS v4.0 | 7.1 (High) |
| Component | TxFetcher & ECIES |
| Impact | Denial of Service (CPU Exhaustion) |
| Exploit Status | PoC Available |
MITRE ATT&CK Mapping
The product receives input or data, but does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Known Exploits & Detection
Vulnerability Timeline
Subscribe to updates
Get the latest CVE analysis reports delivered to your inbox.