CVE-2024-32972 HIGH

CVE-2024-32972: go-ethereum denial of service via malicious p2p message

Vendor Ethereum
Product go-ethereum
Weakness CWE-400
Published May 6, 2024
Last update August 2, 2024

CVSS base score

7.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

What the vulnerability does

01Description

go-ethereum (geth) is a golang execution layer implementation of the Ethereum protocol. Prior to 1.13.15, a vulnerable node can be made to consume very large amounts of memory when handling specially crafted p2p messages sent from an attacker node. The fix has been included in geth version `1.13.15` and onwards.

Key dates

02Disclosure timeline

May 6, 2024 CVE published
August 2, 2024 Record updated