6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-39137

GHSA ID

GHSA-9856-9gg9-qcmq

EPSS Score

0.53628%

CWE

CWE-436

Published

8/30/2021

Updated

8/29/2023

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-39137

CVE-2021-39137: Ethereum Contains Consensus Flaw During Block Processing

Impact

A vulnerability in the Geth EVM could cause a node to reject the canonical chain.

Description

A memory-corruption bug within the EVM can cause a consensus error, where vulnerable nodes obtain a different stateRoot when processing a maliciously crafted transaction. This, in turn, would lead to the chain being split in two forks.

All Geth versions supporting the London hard fork are vulnerable (which predates London), so all users should update.

This bug was exploited on Mainnet at block 13107518, leading to a minority chain split.

Patches

A patch is included in the v1.10.8 release. The exact patch to fix the issue is contained within this commit

Workarounds

No workarounds exist, save to update and/or apply the patch commit.

References.

Post-mortem write-up.

Credits

The bug was found by @guidovranken (working for Sentnl during an audit of the Telos EVM) and reported via bounty@ethereum.org.

For more information

If you have any questions or comments about this advisory:

Open an issue in go-ethereum
Email us at security@ethereum.org

(GitHub Advisory)

6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-39137

GHSA ID

GHSA-9856-9gg9-qcmq

EPSS Score

0.53628%

CWE

CWE-436

Published

8/30/2021

Updated

8/29/2023

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/ethereum/go-ethereum	go	>= 1.10.0, < 1.10.8	1.10.8

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from improper handling of return data buffers in EVM call operations. The patch adds explicit data copying (common.CopyBytes) in four call-handling functions in instructions.go and modifies return data handling in interpreter.go. These changes directly address memory corruption by preventing shared buffer reuse. The Go vulnerability report (GO-2022-0254) explicitly lists these EVM methods as affected symbols, and the commit diff shows the precise locations where memory safety was enforced.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t * vuln*r**ility in t** **t* *VM *oul* **us* * no** to r*j**t t** **noni**l ***in. ### **s*ription * m*mory-*orruption *u* wit*in t** *VM **n **us* * *ons*nsus *rror, w**r* vuln*r**l* no**s o*t*in * *i***r*nt `st*t*Root` w**n pro**ssin

Reasoning

T** vuln*r**ility st*mm** *rom improp*r **n*lin* o* r*turn **t* *u***rs in *VM **ll op*r*tions. T** p*t** ***s *xpli*it **t* *opyin* (`*ommon.*opy*yt*s`) in *our **ll-**n*lin* *un*tions in `instru*tions.*o` *n* mo*i*i*s r*turn **t* **n*lin* in `int*r

6.5

Basic Information

Concerned about an active attack path?

CVE-2021-39137: Ethereum Contains Consensus Flaw During Block Processing

Impact

Description

Patches

Workarounds

References.

Credits

For more information

6.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI