CVE-2024-32972

Name of the Vulnerable Software and Affected Versions go-ethereum (geth) versions prior to 1.13.15

Description A vulnerable node can be made to consume very large amounts of memory when handling specially crafted p2p messages sent from an attacker node, potentially resulting in a denial of service as the node runs out of memory. The attack involves establishing a peer connection to the victim and sending a malicious GetBlockHeadersRequest message with a count of 0 using the ETH protocol, which due to integer overflow, allows an attacker to bypass maxHeadersServe and request all headers from the latest block back to the genesis block.

Recommendations For go-ethereum (geth) versions prior to 1.13.15, update to version 1.13.15 or later to resolve the issue. As a temporary workaround, consider restricting peer connections to trusted nodes to minimize the risk of exploitation. Avoid using the GetBlockHeadersRequest message with a count of 0 until the issue is resolved.