Miggo Logo

CVE-2021-39137: Ethereum Contains Consensus Flaw During Block Processing

6.5

CVSS Score
3.1

Basic Information

EPSS Score
0.53628%
Published
8/30/2021
Updated
8/29/2023
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/ethereum/go-ethereumgo>= 1.10.0, < 1.10.81.10.8

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from improper handling of return data buffers in EVM call operations. The patch adds explicit data copying (common.CopyBytes) in four call-handling functions in instructions.go and modifies return data handling in interpreter.go. These changes directly address memory corruption by preventing shared buffer reuse. The Go vulnerability report (GO-2022-0254) explicitly lists these EVM methods as affected symbols, and the commit diff shows the precise locations where memory safety was enforced.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t * vuln*r**ility in t** **t* *VM *oul* **us* * no** to r*j**t t** **noni**l ***in. ### **s*ription * m*mory-*orruption *u* wit*in t** *VM **n **us* * *ons*nsus *rror, w**r* vuln*r**l* no**s o*t*in * *i***r*nt `st*t*Root` w**n pro**ssin

Reasoning

T** vuln*r**ility st*mm** *rom improp*r **n*lin* o* r*turn **t* *u***rs in *VM **ll op*r*tions. T** p*t** ***s *xpli*it **t* *opyin* (`*ommon.*opy*yt*s`) in *our **ll-**n*lin* *un*tions in `instru*tions.*o` *n* mo*i*i*s r*turn **t* **n*lin* in `int*r