Miggo Logo
Miggo Vulnerability Database
CVE-2021-43668

CVE-2021-43668: Denial of Service in Go-Ethereum

5.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2021-43668
GHSA ID
GHSA-5m8f-chrv-7rw5
EPSS Score
0.17715%
CWE
CWE-476
Published
11/23/2021
Updated
9/18/2023
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/ethereum/go-ethereumgo<= 1.10.9

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from a NULL pointer dereference in the github.com/syndtr/goleveldb/leveldb/table.(*Reader).newBlockIter function within the syndtr/goleveldb dependency, as evidenced by the stack trace pointing to reader.go:734. This function is called when Go-Ethereum interacts with its LevelDB storage. The crash occurs due to improper handling of a nil bpool in the dependency's code. However, the affected package listed is github.com/ethereum/go-ethereum, and no specific functions within this package directly exhibit the vulnerability. The issue arises from the vulnerable dependency, not from Go-Ethereum's own code. Thus, no functions in the Go-Ethereum package itself are identified with high confidence as the root cause.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*o-*t**r*um *.**.* no**s *r*s* (**ni*l o* s*rvi**) **t*r r***ivin* * s*ri*l o* m*ss***s *n* **nnot ** r**ov*r**. T**y will *r*s* wit* "runtim* *rror: inv*li* m*mory ***r*ss or nil point*r **r***r*n**" *n* *ris* * S**V si*n*l.

Reasoning

T** vuln*r**ility st*ms *rom * NULL point*r **r***r*n** in t** `*it*u*.*om/syn*tr/*ol*v*l**/l*v*l**/t**l*.(*R****r).n*w*lo*kIt*r` *un*tion wit*in t** `syn*tr/*ol*v*l**` **p*n**n*y, *s *vi**n*** *y t** st**k tr*** pointin* to `r****r.*o:***`. T*is *un