| id: GO-2021-0063 |
| modules: |
| - module: github.com/ethereum/go-ethereum |
| versions: |
| - fixed: 1.9.25 |
| vulnerable_at: 1.9.24 |
| packages: |
| - package: github.com/ethereum/go-ethereum/les |
| symbols: |
| - serverHandler.handleMsg |
| derived_symbols: |
| - PrivateLightServerAPI.Benchmark |
| summary: |- |
| Nil pointer dereference via malicious RPC message in |
| github.com/ethereum/go-ethereum |
| description: |- |
| Due to a nil pointer dereference, a maliciously crafted RPC message can cause a |
| panic. If handling RPC messages from untrusted clients, this may be used as a |
| denial of service vector. |
| published: 2021-04-14T20:04:52Z |
| cves: |
| - CVE-2020-26264 |
| ghsas: |
| - GHSA-r33q-22hv-j29q |
| credits: |
| - '@zsfelfoldi' |
| references: |
| - fix: https://github.com/ethereum/go-ethereum/pull/21896 |
| - fix: https://github.com/ethereum/go-ethereum/commit/bddd103a9f0af27ef533f04e06ea429cf76b6d46 |
| review_status: REVIEWED |