CVE-2022-23328

Name of the Vulnerable Software and Affected Versions Go-Ethereum versions all

Description A design flaw in Go-Ethereum allows an attacker node to send 5120 pending transactions of a high gas price from one account that all fully spend the full balance of the account to a victim Geth node. This can purge all of pending transactions in a victim node's memory pool and then occupy the memory pool to prevent new transactions from entering the pool, resulting in a denial of service (DoS).

Recommendations For all versions, consider restricting the number of pending transactions from a single account to prevent memory pool occupation until a fix is available. As a temporary workaround, consider implementing rate limiting on high gas price transactions to minimize the risk of exploitation.