Skip to content

go.mod: update module github.com/ethereum/go-ethereum to v1.17.0 [SECURITY]#21

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/go-github.com-ethereum-go-ethereum-vulnerability
Open

go.mod: update module github.com/ethereum/go-ethereum to v1.17.0 [SECURITY]#21
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/go-github.com-ethereum-go-ethereum-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Jun 16, 2026

Copy link
Copy Markdown

This PR contains the following updates:

Package Change Age Confidence
github.com/ethereum/go-ethereum v1.16.6v1.17.0 age confidence

go-ethereum is vulnerable to DoS via malicious p2p message affecting a vulnerable node

CVE-2026-22862 / GHSA-mr7q-c9w9-wh4h

More information

Details

Impact

A vulnerable node can be forced to shutdown/crash using a specially crafted message.
More details to be released later.

Credit

This issue was reported to the Ethereum Foundation Bug Bounty Program by DELENE TCHIO ROMUALD.

Severity

  • CVSS Score: 7.1 / 10 (High)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

go-ethereum is vulnerable to high CPU usage leading to DoS via malicious p2p message

CVE-2026-22868 / GHSA-mq3p-rrmp-79jg

More information

Details

Impact

An attacker can cause high CPU usage by sending a specially crafted p2p message.
More details to be released later.

Credit

This issue was reported to the Ethereum Foundation Bug Bounty Program by @​Yenya030

Severity

  • CVSS Score: 7.1 / 10 (High)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Go Ethereum affected by DoS via malicious p2p message

CVE-2026-26313 / GHSA-689v-6xwf-5jf3

More information

Details

Impact

An attacker can cause high memory usage by sending a specially-crafted p2p message.
More details to be released later.

Patches

The issue is resolved in the v1.17.0 release.

Credit

This issue was reported to the Ethereum Foundation Bug Bounty Program by @​revofusion

Severity

  • CVSS Score: 6.9 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Go Ethereum affected by DoS via malicious p2p message

CVE-2026-26314 / GHSA-2gjw-fg97-vg3r

More information

Details

Impact

A vulnerable node can be forced to shutdown/crash using a specially crafted message.
More details to be released later.

Patches

The problem is resolved in the v1.16.9 and v1.17.0 releases of Geth.

Credit

This issue was reported to the Ethereum Foundation Bug Bounty Program by Waleed Ahmed from vulsight.com

Severity

  • CVSS Score: 8.7 / 10 (High)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Go Ethereum Improperly Validates the ECIES Public Key in RLPx Handshake

CVE-2026-26315 / GHSA-m6j8-rg6r-7mv8

More information

Details

Impact

Through a flaw in the ECIES cryptography implementation, an attacker may be able to extract bits of the p2p node key.

Patches

The issue is resolved in the v1.16.9 and v1.17.0 releases of Geth. We recommend rotating the node key after applying the upgrade, which can be done by removing the file <datadir>/geth/nodekey before starting Geth.

Credit

The issue was reported as a public pull request to go-ethereum by @​fengjian.

Severity

  • CVSS Score: 6.9 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

go-ethereum is vulnerable to high CPU usage leading to DoS via malicious p2p message

CVE-2026-22868 / GHSA-mq3p-rrmp-79jg / GO-2026-4314

More information

Details

Impact

An attacker can cause high CPU usage by sending a specially crafted p2p message.
More details to be released later.

Credit

This issue was reported to the Ethereum Foundation Bug Bounty Program by @​Yenya030

Severity

  • CVSS Score: 7.1 / 10 (High)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

go-ethereum is vulnerable to DoS via malicious p2p message affecting a vulnerable node

CVE-2026-22862 / GHSA-mr7q-c9w9-wh4h / GO-2026-4315

More information

Details

Impact

A vulnerable node can be forced to shutdown/crash using a specially crafted message.
More details to be released later.

Credit

This issue was reported to the Ethereum Foundation Bug Bounty Program by DELENE TCHIO ROMUALD.

Severity

  • CVSS Score: 7.1 / 10 (High)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

High CPU usage leading to DoS via malicious p2p message in github.com/ethereum/go-ethereum

CVE-2026-22868 / GHSA-mq3p-rrmp-79jg / GO-2026-4314

More information

Details

High CPU usage leading to DoS via malicious p2p message in github.com/ethereum/go-ethereum

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

DoS via malicious p2p message affecting a vulnerable node in github.com/ethereum/go-ethereum

CVE-2026-22862 / GHSA-mr7q-c9w9-wh4h / GO-2026-4315

More information

Details

DoS via malicious p2p message affecting a vulnerable node in github.com/ethereum/go-ethereum

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

Go Ethereum affected by DoS via malicious p2p message

CVE-2026-26314 / GHSA-2gjw-fg97-vg3r / GO-2026-4507

More information

Details

Impact

A vulnerable node can be forced to shutdown/crash using a specially crafted message.
More details to be released later.

Patches

The problem is resolved in the v1.16.9 and v1.17.0 releases of Geth.

Credit

This issue was reported to the Ethereum Foundation Bug Bounty Program by Waleed Ahmed from vulsight.com

Severity

  • CVSS Score: 8.7 / 10 (High)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Go Ethereum Improperly Validates the ECIES Public Key in RLPx Handshake

CVE-2026-26315 / GHSA-m6j8-rg6r-7mv8 / GO-2026-4511

More information

Details

Impact

Through a flaw in the ECIES cryptography implementation, an attacker may be able to extract bits of the p2p node key.

Patches

The issue is resolved in the v1.16.9 and v1.17.0 releases of Geth. We recommend rotating the node key after applying the upgrade, which can be done by removing the file <datadir>/geth/nodekey before starting Geth.

Credit

The issue was reported as a public pull request to go-ethereum by @​fengjian.

Severity

  • CVSS Score: 6.9 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Go Ethereum affected by crash via malicious p2p message in github.com/ethereum/go-ethereum

CVE-2026-26314 / GHSA-2gjw-fg97-vg3r / GO-2026-4507

More information

Details

Go Ethereum affected by crash via malicious p2p message in github.com/ethereum/go-ethereum

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

Go Ethereum Improperly Validates the ECIES Public Key in RLPx Handshake in github.com/ethereum/go-ethereum

CVE-2026-26315 / GHSA-m6j8-rg6r-7mv8 / GO-2026-4511

More information

Details

Go Ethereum Improperly Validates the ECIES Public Key in RLPx Handshake in github.com/ethereum/go-ethereum

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

Go Ethereum affected by DoS via malicious p2p message

CVE-2026-26313 / GHSA-689v-6xwf-5jf3 / GO-2026-4508

More information

Details

Impact

An attacker can cause high memory usage by sending a specially-crafted p2p message.
More details to be released later.

Patches

The issue is resolved in the v1.17.0 release.

Credit

This issue was reported to the Ethereum Foundation Bug Bounty Program by @​revofusion

Severity

  • CVSS Score: 6.9 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Go Ethereum affected by DoS via malicious p2p message in github.com/ethereum/go-ethereum

CVE-2026-26313 / GHSA-689v-6xwf-5jf3 / GO-2026-4508

More information

Details

Go Ethereum affected by DoS via malicious p2p message in github.com/ethereum/go-ethereum

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

Release Notes

ethereum/go-ethereum (github.com/ethereum/go-ethereum)

v1.17.0: Eezo-Inlaid Circuitry (v1.17.0)

Compare Source

This is a feature release, with all accumulated development from the last 3 months. See below for the highlights.

Note that this release contains multiple critical security fixes, as well as many bug fixes, and is recommended for all users. However, if you are cautious about upgrades, you can also install v1.16.9 which has just the critical security fixes. Specifically, this release fixes CVE-2026-26313, CVE-2026-26314, CVE-2026-26315.

We recommend recreating your p2p node key after installing this update, which you can do by removing the DATADIR/geth/nodekey file before restarting geth. Note this will cause a change in the p2p node ID, which may break static peering setups.

Highlights

Path-based Archive Node with Proofs

The path-based archive node can now serve proofs (via eth_getProof) for the state of older blocks.

You can configure the block range that supports proving independently from other archive state availability. Specifically, you can use the --history.trienode command-line flag to set the amount of blocks for which tree nodes will be tracked.

This feature is disabled by default. Note that state history cannot easily be recovered once deleted, as it can only be generated by processing blocks. However, you can enable trienode history (and/or state history) at any time to turn a full node into a partial archive node, keeping state from that point in time onwards.

#​32727, #​32621, #​33551, #​32981, #​33399, #​32913, #​33303, #​33584, #​33329, #​33681, #​33103, #​33098, #​33515, #​32247

EraE History Support

Geth now suports the EraE file format, an archival format for post-merge chain history.

#​32157, #​33827

OpenTelemetry Tracing

OpenTelemetry tracing is now supported by the RPC server, including support for distributed tracing.
We have also added some tracing spans for block processing via the engine API, i.e. engine_newPayload.

#​33599, #​33452, #​33780, #​33521

All Changes

Geth CLI
  • The geth version-check subcommand has been removed. This command checked the geth website for signed vulnerability notices, and would tell if updates are necessary (#​33498)
  • There is now a --miner.maxblobs command-line flag to set a limit on blobs included in built blocks (#​33129, #​33302)
  • Geth now supports continuous profiling with Grafana Pyroscope (#​33623)
  • A rare bug that could halt block production in geth --dev mode was fixed (#​33146)
  • A new --rpc.rangelimit flag configures the maximum block range for eth_getLogs (#​33163)
  • geth --exitwhensynced will now set the finalized and safe block (#​33038)
  • geth --ethstats now reports the newPayload processing time to the stats server (#​33395)
  • A lot of minor issues in Geth's command-line flag processing have been fixed (#​33379, #​33338, #​33330, #​32999, #​33279, #​33252)
  • The evm blocktest command can now read filenames from stdin when no path is provided (#​32824)
Fork Implementation
Core
  • The crypto/ecies library allowed extraction of the private key used for key derivation via observation of response timing. We recommend rotating the node key after applying this update. (#​33669)
  • When a missing block is encountered during tx unindexing, Geth will now skip it and move on instead of entering an infinite loop. (#​33573)
  • Geth now optionally collect and export metrics about the total state size (#​33254, #​33376, #​33415)
  • There is a new OnStateUpdate hook, which is called after all state of a block has been committed. This gives access to the changeset of the block. (#​33490)
  • Some minor tracing bugs have been fixed (#​32919, #​33148, #​33644, #​33214)
  • Various minor issues in the freezer database have also been fixed (#​33747, #​33025, #​33203, #​33344)
  • The setHead operation now unsets the finalized block, in cases where the rolled-back block range extends before it. (#​33486)
  • The SignatureValues method of types.Signer now reports an error for invalid signature sizes (#​33647)
  • Geth prints detailed log messages for 'slow blocks' (#​33655, #​33525, #​33442, #​32812, #​33659, #​33532)
  • Pebble configuration has been tweaked for improved performance (#​33697, #​33353, #​33315)
  • A rare crash in the log indexer related to reorg handling has been fixed (#​33810)
  • Internal state diff size accounting has been corrected, so state diffs will now be flushed to the disk store less often (#​33505)
  • Since the keccak256 hash function variant used by Ethereum no longer has a fast-path in the standard library, we have vendored the keccak implementation back into our repository (#​33323)
Library
  • The RLP library now has a RawList type for dealing with un-decoded lists in a more convenient way (#​33755, #​33834, #​33840, #​33841)
  • The low-level RLP iterator and uses of it have been improved (#​33245, #​33188, #​33820)
  • Clef can now sign blob transactions with cell proofs (#​32910)
  • Fixed some corner-case bugs in metrics exporting (#​33749, #​33748)
  • The hardware wallet library now supports the Ledger Nano Gen5 and correctly enables EIP-712 signing for all supported versions. (#​33297, #​33113)
  • SignTextWithPassphrase now works correctly with all supported hardware wallets (#​33138)
  • Some minor bugs were fixed in the keystore implementation (#​33606, #​33602, #​33090)
  • The bitutil.XORBytes function has been deprecated in favor of stdlib package crypto/subtle (#​33331)
  • A memory leak in the beacon chain light client was fixed (#​33483)
RPC
  • eth_getTransactionByHash now returns the blockTimestamp as part of the transaction object (#​33709)
  • Error codes for some conditions in eth_simulateV1, eth_getLogs, eth_getStorageAt have been improved to better comply with the execution RPC spec (#​33007, #​33320, #​33282)
  • eth_simulateV1 now selects the correct set of precompiles for the simulated header (#​33363)
  • eth_sendTransaction and eth_fillTransaction now default to EIP-1559 (#​33058)
  • The GraphQL implementation has received some bug fixes for cases where a resolved item is not found. (#​33184, #​33225)
  • In GraphQL, the gasPrice is now retrievable for transaction types 0x3 and 0x4 (#​33542)
  • The RPC server now enables plain-text HTTP2 for improved performance (#​33812)
  • The RPC client no longer sends spurious RST_STREAM HTTP2 frames (#​33122)
  • Some minor JSON encoding bugs have been fixed in ethclient (#​33693, #​33242, #​33464)
  • The gethclient has a new wrapper of the callTracer (#​31510)
  • In the callTracer, reported logs now contain an index field which is the index of the log within the transaction (#​33629)
P2P Networking
  • The transaction pool heartbeat mechanism had some fixes for potential resource leaks (#​33704)
  • The eth and snap protocol implementations nows validates most p2p messages before decoding their content. This improves security and sync performance in some cases. (#​33835)
  • The blob transaction pool has seen some bug fixes and now accepts nonce-gapped transactions to a very limited extent (#​32717, #​33775, #​33474, #​33352, #​33301, #​33260)
  • Snap sync status is now tracked better, ensuring a snap sync will not be triggered accidentally by the engine API (#​33157)
  • The snap sync scheduler was improved to better protect the trie database against accidential mutations while the node is processing blocks. This resolves some edge cases where the database could be corrupted (#​33428)
  • The header sync implementation was fixed to better deal with setHead operations during sync (#​33481)
  • Peer connections delivering stale transactions will be penalized less, since delivery of a few stale transactions is a common occurrence. (#​32725)
  • Peers announcing transactions of one type, and delivering a different type, are now disconnected as penalty (#​33378)
  • Similarly, peers delivering invalid KZG proofs will now be disconnected (5b99d2b)
  • The transaction pool has new metrics for the number of accounts with transactions (#​33646, #​33654)

For a full rundown of the changes please consult the Geth 1.17.0 release milestone.

As with all our previous releases, you can find the:

v1.16.9: Shield Focusing Module (v1.16.9)

Compare Source

This is a security hot-fix release. Specifically, this release fixes CVE-2026-26314, CVE-2026-26315.

We recommend recreating your p2p node key after installing this update, which you can do by removing the DATADIR/geth/nodekey file before restarting geth. Note this will cause a change in the p2p node ID, which may break static peering setups.

As with all our previous releases, you can find the:

v1.16.8: Moisture Filters (v1.16.8)

Compare Source

This is a security fix release and is recommended for all users. It resolves two p2p
vulnerabilities reported through the Ethereum Foundation bug bounty program.

As with all our previous releases, you can find the:

v1.16.7: Ballistic Drift Stabilizer (v1.16.7)

Compare Source

This is a re-roll of v1.16.6, including an important fix in the KZG cryptography library.

This release enables the Fusaka hardfork on Ethereum mainnet.

The Fusaka fork is scheduled to occur at 2025-12-03 21:49:11 UTC.
Please upgrade your node to v1.16.7 in time for the fork.

This release also enables two blob-parameter-only (BPO) upgrades.
These upgrades change protocol parameters to increase the available blob capacity.

  • BPO1 on2025-12-09
  • BPO2 on 2026-01-07
Fusaka
  • Set mainnet timestamps for Osaka (#​33063)
  • Enable Fusaka for geth --dev mode (#​32917)
RPC
  • Add eth_sendRawTransactionSync which waits until either a timeout or the transaction is mined. This feature is mostly useful on L2s with lower blocktimes. (#​32830, #​32930, #​32929)
  • Add support for eth_simulateV1 in ethclient (#​32856)
  • Fix for an issue that might crash debug_traceCall (#​33015)
  • Fix for an issuer where local transactions were not persisted to the journal (#​32921)
Core
Networking
  • New metrics for tracking slow peers (#​32964)
  • Fix for an issue where disconnected peers were not removed in txFetcher (#​32947)

For a full rundown of the changes please consult the Geth 1.16.6 and 1.16.7 release milestones.

As with all our previous releases, you can find the:

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot requested a review from a team as a code owner June 16, 2026 12:17
@renovate renovate Bot enabled auto-merge (squash) June 16, 2026 12:17
@renovate

renovate Bot commented Jun 16, 2026

Copy link
Copy Markdown
Author

ℹ️ Artifact update notice

File name: eth-trie/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 5 additional dependencies were updated

Details:

Package Change
golang.org/x/crypto v0.43.0 -> v0.44.0
golang.org/x/sync v0.17.0 -> v0.18.0
github.com/consensys/gnark-crypto v0.18.0 -> v0.18.1
github.com/ethereum/c-kzg-4844/v2 v2.1.3 -> v2.1.5
golang.org/x/sys v0.37.0 -> v0.39.0

@socket-security

socket-security Bot commented Jun 16, 2026

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updatedgithub.com/​ethereum/​go-ethereum@​v1.16.6 ⏵ v1.17.076 +1100 +3110010070
Updatedgolang.org/​x/​crypto@​v0.43.0 ⏵ v0.44.07498100100100
Updatedgolang.org/​x/​sync@​v0.17.0 ⏵ v0.18.099100100100100

View full report

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

changelog: skip type: dependencies type: security

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants