Erroneous Proof of Work calculation in geth
CVE-2020-26240

5.3MEDIUM

Key Information:

Vendor

Ethereum

Status
Go-ethereum
Vendor
CVE Published:
25 November 2020

What is CVE-2020-26240?

Go Ethereum, or "Geth", is the official Golang implementation of the Ethereum protocol. An ethash mining DAG generation flaw in Geth before version 1.9.24 could cause miners to erroneously calculate PoW in an upcoming epoch (estimated early January, 2021). This happened on the ETC chain on 2020-11-06. This issue is relevant only for miners, non-mining nodes are unaffected. This issue is fixed as of 1.9.24

Affected Version(s)

go-ethereum < 1.9.24

References

https://blog.ethereum.org/2020/11/12/geth_security_release/
x_refsource_MISC
https://github.com/ethereum/go-ethereum/security/advisori...
x_refsource_CONFIRM
https://github.com/ethereum/go-ethereum/pull/21793
x_refsource_MISC

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2020-26240 : Erroneous Proof of Work calculation in geth