Vulnerability Details : CVE-2020-26240
Go Ethereum, or "Geth", is the official Golang implementation of the Ethereum protocol. An ethash mining DAG generation flaw in Geth before version 1.9.24 could cause miners to erroneously calculate PoW in an upcoming epoch (estimated early January, 2021). This happened on the ETC chain on 2020-11-06. This issue is relevant only for miners, non-mining nodes are unaffected. This issue is fixed as of 1.9.24
Products affected by CVE-2020-26240
- cpe:2.3:a:ethereum:go_ethereum:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-26240
0.12%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 48 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-26240
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:P/A:N |
10.0
|
2.9
|
NIST | |
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
3.9
|
3.6
|
NIST | |
5.3
|
MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N |
1.6
|
3.6
|
GitHub, Inc. |
CWE ids for CVE-2020-26240
-
The product performs a calculation that generates incorrect or unintended results that are later used in security-critical decisions or resource management.Assigned by:
- nvd@nist.gov (Primary)
- security-advisories@github.com (Secondary)
References for CVE-2020-26240
-
https://github.com/ethereum/go-ethereum/security/advisories/GHSA-v592-xf75-856p
Ethash DAG generation bug can cause miners to create invalid PoW · Advisory · ethereum/go-ethereum · GitHubThird Party Advisory
-
https://github.com/ethereum/go-ethereum/pull/21793
consensus/ethash: use 64bit indexes for the DAG generation by slavikus · Pull Request #21793 · ethereum/go-ethereum · GitHubPatch;Third Party Advisory
-
https://github.com/ethereum/go-ethereum/commit/d990df909d7839640143344e79356754384dcdd0
consensus/ethash: use 64bit indexes for the DAG generation (#21793) · ethereum/go-ethereum@d990df9 · GitHubPatch;Third Party Advisory
-
https://blog.ethereum.org/2020/11/12/geth_security_release/
Geth security release | Ethereum Foundation BlogVendor Advisory
Jump to