CVE-2021-39137: Ethereum Contains Consensus Flaw During Block Processing
(updated )
A memory-corruption bug within the EVM can cause a consensus error, where vulnerable nodes obtain a different stateRoot
when processing a maliciously crafted transaction. This, in turn, would lead to the chain being split in two forks.
All Geth versions supporting the London hard fork are vulnerable (which predates London), so all users should update.
This bug was exploited on Mainnet at block 13107518, leading to a minority chain split.
References
- github.com/advisories/GHSA-9856-9gg9-qcmq
- github.com/ethereum/go-ethereum
- github.com/ethereum/go-ethereum/pull/23381/commits/4d4879cafd1b3c906fc184a8c4a357137465128f
- github.com/ethereum/go-ethereum/releases/tag/v1.10.8
- github.com/ethereum/go-ethereum/security/advisories/GHSA-9856-9gg9-qcmq
- nvd.nist.gov/vuln/detail/CVE-2021-39137
- pkg.go.dev/vuln/GO-2022-0254
Detect and mitigate CVE-2021-39137 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →