CVE-2023-40591

Name of the Vulnerable Software and Affected Versions go-ethereum (geth) versions prior to 1.12.1-stable

Description A vulnerable node can be made to consume unbounded amounts of memory when handling specially crafted p2p messages sent from an attacker node. This occurs because the p2p handler spawns a new goroutine to respond to ping requests, and by flooding a node with ping requests, an unbounded number of goroutines can be created, leading to resource exhaustion and potentially crash due to OOM.

Recommendations For go-ethereum (geth) versions prior to 1.12.1-stable, upgrade to version 1.12.1-stable or later, such as 1.12.2-unstable and onwards, to resolve the issue. As a temporary workaround, consider restricting access to the p2p handler to minimize the risk of exploitation. There are no known workarounds for this vulnerability.