Skip to content

[GHSA-mq3p-rrmp-79jg] go-ethereum is vulnerable to high CPU usage leading to DoS via malicious p2p message #7103

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
timothyfraser1955-del wants to merge 1 commit into
base: timothyfraser1955-del/advisory-improvement-7103
Choose a base branch
from
Open

[GHSA-mq3p-rrmp-79jg] go-ethereum is vulnerable to high CPU usage leading to DoS via malicious p2p message #7103

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions advisories/github-reviewed/2026/01/GHSA-mq3p-rrmp-79jg/GHSA-mq3p-rrmp-79jg.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-mq3p-rrmp-79jg",
"modified": "2026-01-13T21:55:29Z",
"modified": "2026-01-13T22:15:33Z",
"published": "2026-01-13T21:55:29Z",
"aliases": [
"CVE-2026-22868"
Expand All @@ -11,7 +11,7 @@
"severity": [
{
"type": "CVSS_V4",
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:N"
Copy link

Copilot AI Mar 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The CVSS v4 vector sets confidentiality/integrity impacts (VC/VI) and subsequent system impacts (SC/SI) to High, but this advisory’s summary/details describe a CPU-exhaustion DoS. Unless there’s evidence of data compromise or downstream system impact, the vector should reflect availability-only impact (e.g., VC:N/VI:N with VA:H and typically SC/SI:N). Please re-check the CVSS v4 scoring source (GitHub/NVD) and update the vector accordingly.

Suggested change
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:N"
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"

Copilot uses AI. Check for mistakes.
}
],
"affected": [
Expand Down Expand Up @@ -61,7 +61,7 @@
"CWE-20",
"CWE-400"
],
"severity": "HIGH",
"severity": "CRITICAL",
Copy link

Copilot AI Mar 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

database_specific.severity was bumped to CRITICAL, but the described impact is a DoS via high CPU usage. In this repo, similar availability-only CVSS v4 vectors are typically categorized as HIGH (for example, GHSA-8r9q-7v3j-jr4g uses an availability-only CVSS v4 vector and severity: HIGH). After correcting/confirming the CVSS vector, please ensure this severity value matches the assessed impact.

Suggested change
"severity": "CRITICAL",
"severity": "HIGH",

Copilot uses AI. Check for mistakes.
"github_reviewed": true,
"github_reviewed_at": "2026-01-13T21:55:29Z",
"nvd_published_at": "2026-01-13T21:15:54Z"
Expand Down
Loading