{"api_version":"1","generated_at":"2026-04-09T23:56:48+00:00","cve":"CVE-2020-26240","urls":{"html":"https://cve.report/CVE-2020-26240","api":"https://cve.report/api/cve/CVE-2020-26240.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2020-26240","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2020-26240"},"summary":{"title":"CVE-2020-26240","description":"Go Ethereum, or \"Geth\", is the official Golang implementation of the Ethereum protocol. An ethash mining DAG generation flaw in Geth before version 1.9.24 could cause miners to erroneously calculate PoW in an upcoming epoch (estimated early January, 2021). This happened on the ETC chain on 2020-11-06. This issue is relevant only for miners, non-mining nodes are unaffected. This issue is fixed as of 1.9.24","state":"PUBLIC","assigner":"security-advisories@github.com","published_at":"2020-11-25 02:15:00","updated_at":"2020-12-03 15:16:00"},"problem_types":["CWE-682"],"metrics":[],"references":[{"url":"https://github.com/ethereum/go-ethereum/pull/21793","name":"https://github.com/ethereum/go-ethereum/pull/21793","refsource":"MISC","tags":["Patch","Third Party Advisory"],"title":"Bit boundary fix for the DAG generation routine by slavikus · Pull Request #21793 · ethereum/go-ethereum · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://github.com/ethereum/go-ethereum/security/advisories/GHSA-v592-xf75-856p","name":"https://github.com/ethereum/go-ethereum/security/advisories/GHSA-v592-xf75-856p","refsource":"CONFIRM","tags":["Third Party Advisory"],"title":"Ethash DAG generation bug can cause miners to create invalid PoW · Advisory · ethereum/go-ethereum · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"https://blog.ethereum.org/2020/11/12/geth_security_release/","name":"https://blog.ethereum.org/2020/11/12/geth_security_release/","refsource":"MISC","tags":["Vendor Advisory"],"title":"Geth security release | Ethereum Foundation Blog","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://github.com/ethereum/go-ethereum/commit/d990df909d7839640143344e79356754384dcdd0","name":"https://github.com/ethereum/go-ethereum/commit/d990df909d7839640143344e79356754384dcdd0","refsource":"MISC","tags":["Patch","Third Party Advisory"],"title":"consensus/ethash: use 64bit indexes for the DAG generation (#21793) · ethereum/go-ethereum@d990df9 · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2020-26240","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-26240","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2020","cve_id":"26240","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"ethereum","cpe5":"go_ethereum","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"26240","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"ethereum","cpe5":"go_ethereum","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2020-26240","qid":"982040","title":"Go (go) Security Update for github.com/ethereum/go-ethereum/consensus (GHSA-v592-xf75-856p)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"security-advisories@github.com","ID":"CVE-2020-26240","STATE":"PUBLIC","TITLE":"Erroneous Proof of Work calculation in geth"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"go-ethereum","version":{"version_data":[{"version_value":"< 1.9.24"}]}}]},"vendor_name":"ethereum"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"Go Ethereum, or \"Geth\", is the official Golang implementation of the Ethereum protocol. An ethash mining DAG generation flaw in Geth before version 1.9.24 could cause miners to erroneously calculate PoW in an upcoming epoch (estimated early January, 2021). This happened on the ETC chain on 2020-11-06. This issue is relevant only for miners, non-mining nodes are unaffected. This issue is fixed as of 1.9.24"}]},"impact":{"cvss":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":5.3,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N","version":"3.1"}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-682: Incorrect Calculation"}]}]},"references":{"reference_data":[{"name":"https://blog.ethereum.org/2020/11/12/geth_security_release/","refsource":"MISC","url":"https://blog.ethereum.org/2020/11/12/geth_security_release/"},{"name":"https://github.com/ethereum/go-ethereum/security/advisories/GHSA-v592-xf75-856p","refsource":"CONFIRM","url":"https://github.com/ethereum/go-ethereum/security/advisories/GHSA-v592-xf75-856p"},{"name":"https://github.com/ethereum/go-ethereum/pull/21793","refsource":"MISC","url":"https://github.com/ethereum/go-ethereum/pull/21793"},{"name":"https://github.com/ethereum/go-ethereum/commit/d990df909d7839640143344e79356754384dcdd0","refsource":"MISC","url":"https://github.com/ethereum/go-ethereum/commit/d990df909d7839640143344e79356754384dcdd0"}]},"source":{"advisory":"GHSA-v592-xf75-856p","discovery":"UNKNOWN"}},"nvd":{"publishedDate":"2020-11-25 02:15:00","lastModifiedDate":"2020-12-03 15:16:00","problem_types":["CWE-682"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE","baseScore":7.5,"baseSeverity":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:N/I:P/A:N","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"NONE","integrityImpact":"PARTIAL","availabilityImpact":"NONE","baseScore":5},"severity":"MEDIUM","exploitabilityScore":10,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:ethereum:go_ethereum:*:*:*:*:*:*:*:*","versionEndExcluding":"1.9.24","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2020","CveId":"26240","Ordinal":"187662","Title":"CVE-2020-26240","CVE":"CVE-2020-26240","Year":"2020"},"notes":[{"CveYear":"2020","CveId":"26240","Ordinal":"1","NoteData":"Go Ethereum, or \"Geth\", is the official Golang implementation of the Ethereum protocol. An ethash mining DAG generation flaw in Geth before version 1.9.24 could cause miners to erroneously calculate PoW in an upcoming epoch (estimated early January, 2021). This happened on the ETC chain on 2020-11-06. This issue is relevant only for miners, non-mining nodes are unaffected. This issue is fixed as of 1.9.24","Type":"Description","Title":null},{"CveYear":"2020","CveId":"26240","Ordinal":"2","NoteData":"2020-11-24","Type":"Other","Title":"Published"},{"CveYear":"2020","CveId":"26240","Ordinal":"3","NoteData":"2020-11-24","Type":"Other","Title":"Modified"}]}}}