Incorrect Calculation Affecting github.com/ethereum/go-ethereum/core/vm package, versions <1.19.7
Snyk CVSS
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-GOLANG-GITHUBCOMETHEREUMGOETHEREUMCOREVM-1045822
- published 26 Nov 2020
- disclosed 26 Nov 2020
- credit Unknown
Introduced: 26 Nov 2020
CVE-2020-26241 Open this link in a new tabHow to fix?
Upgrade github.com/ethereum/go-ethereum/core/vm to version 1.19.7 or higher.
Overview
github.com/ethereum/go-ethereum/core/vm is a Package that implements the Ethereum Virtual Machine.
Affected versions of this package are vulnerable to Incorrect Calculation. It can be used to cause a chain-split where vulnerable nodes reject the canonical chain. Geth's pre-compiled dataCopy (at 0x00...04) contract did a shallow copy on invocation. An attacker could deploy a contract that writes X to an EVM memory region R, then calls 0x00..04 with R as an argument, then overwrites R to Y, and finally invokes the RETURNDATACOPY opcode.When this contract is invoked, a consensus-compliant node would push X on the EVM stack, whereas Geth would push Y.