Incorrect Calculation Affecting github.com/ethereum/go-ethereum/core/vm package, versions <1.19.7
Attack Complexity
Low
Integrity
High
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications-
snyk-id
SNYK-GOLANG-GITHUBCOMETHEREUMGOETHEREUMCOREVM-1045822
-
published
26 Nov 2020
-
disclosed
26 Nov 2020
-
credit
Unknown
Introduced: 26 Nov 2020
CVE-2020-26241 Open this link in a new tabHow to fix?
Upgrade github.com/ethereum/go-ethereum/core/vm to version 1.19.7 or higher.
Overview
github.com/ethereum/go-ethereum/core/vm is a Package that implements the Ethereum Virtual Machine.
Affected versions of this package are vulnerable to Incorrect Calculation. It can be used to cause a chain-split where vulnerable nodes reject the canonical chain. Geth's pre-compiled dataCopy (at 0x00...04) contract did a shallow copy on invocation. An attacker could deploy a contract that writes X to an EVM memory region R, then calls 0x00..04 with R as an argument, then overwrites R to Y, and finally invokes the RETURNDATACOPY opcode.When this contract is invoked, a consensus-compliant node would push X on the EVM stack, whereas Geth would push Y.