VDB
CVE-2026-26315
CVE-2026-26315
PUBLISHED
CVSS 6.900000095367432 MEDIUM
go-ethereum (Geth) is a golang execution layer implementation of the Ethereum protocol. Prior to version 1.16.9, through a flaw in the ECIES cryptography implementation, an attacker may be able to extract bits of the p2p node key. The issue is resolved in the v1.16.9 and v1.17.0 releases of Geth. Geth maintainers recommend rotating the node key after applying the upgrade, which can be done by removing the file `<datadir>/geth/nodekey` before starting Geth.
EPSS 0.03% · 8.7th percentile
Risk Scores
CVSS v4.0
6.900000095367432
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
EPSS Score
0.03%
8.7th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| github.com | ethereum/go-ethereum | 0, 0 |
| ethereum | go_ethereum | 0, 0 |
| ethereum | go-ethereum | < 1.16.9, * |
Timeline
- Feb 18, 2026 CVE Published
- Feb 20, 2026 EPSS Score
- Feb 22, 2026 EPSS Score
- Feb 23, 2026 EPSS Score
- Feb 25, 2026 EPSS Score
- Feb 27, 2026 CVE Updated
- Feb 27, 2026 EPSS Score
- Feb 28, 2026 EPSS Score
- Mar 2, 2026 EPSS Score
- Mar 4, 2026 EPSS Score
- Mar 5, 2026 EPSS Score
- Mar 7, 2026 EPSS Score
References
- https://github.com/ethereum/go-ethereum/security/advisories/GHSA-m6j8-rg6r-7mv8 url
- https://nvd.nist.gov/vuln/detail/CVE-2026-26315 advisory
- https://github.com/ethereum/go-ethereum/pull/33669 url
- https://github.com/ethereum/go-ethereum/commit/46bee92f9e64c0a06a12586a5d21cffc49d1ba8e url
- https://github.com/ethereum/go-ethereum package
- https://github.com/ethereum/go-ethereum/releases/tag/v1.16.9 url
- https://pkg.go.dev/vuln/GO-2026-4511 url