memecore-foundation/Go-MemeCore v1.15.3

on GitHub

CVE-2026-26314: DoS via Malicious P2P Message (CVSS 4.0: 8.7 HIGH)

The secp256k1 elliptic curve operations did not validate whether coordinate values were greater than or equal to the field prime P, allowing points not on the curve to pass the IsOnCurve check. An attacker could send a crafted public key during the RLPx handshake, causing unexpected errors in the ECDH computation and crashing the node.

• crypto/secp256k1 (Go): Added range validation to IsOnCurve() to reject coordinates where x >= P or y >= P.
• crypto/secp256k1 (C/CGO): Added return value checking for secp256k1_fe_set_b32_limit() in secp256k1_ext_scalar_mul(), immediately rejecting out-of-range coordinates.
• crypto/signature_nocgo.go (non-CGO): Added the same coordinate range validation to btCurve.IsOnCurve(), ensuring consistent security across CGO and non-CGO build environments.

CVE-2026-26315: P2P Node Key Leakage via ECIES Oracle (CVSS 4.0: 6.9 MEDIUM)

When an invalid curve point was provided during ECIES decryption, the implementation proceeded to ECDH without IsOnCurve validation and only failed at the MAC verification stage with ErrInvalidMessage. An attacker could exploit this observable discrepancy (oracle) to incrementally extract bits of the p2p node private key through invalid-curve / small-subgroup attacks.

• crypto/ecies: Added curve validity validation of the public key before ECDH in GenerateShared(), eliminating the oracle entirely. Invalid keys are immediately rejected with ErrInvalidPublicKey, and no ECDH computation is performed, preventing any node key information from being leaked.
• p2p/rlpx: Added a regression test to verify that tampered curve points are correctly rejected with ErrInvalidPublicKey.

Note: This vulnerability may have already partially exposed existing node keys. See Upgrade Notes for node key regeneration steps.

PoSA Signing Retry Logic Improvements

Two issues were fixed in the block signing retry logic of the PoSA consensus engine. These fixes apply only to Validator nodes that perform block signing and do not affect RPC or Full nodes.

Retry condition fix — Resolved an inefficient signing attempt order:

• Before: Signing was attempted only after a retry delay (time.After), causing unnecessary latency even on the first attempt.
• After: Signing is attempted immediately, and the delay is applied only after a failure before retrying.
• Fixed an off-by-one error in the retry count boundary condition: retryCount < N → retryCount < N+1.

Concurrency race condition fix — Resolved a race condition on the stopCh channel in taskLoop:

• The taskLoop goroutine and the exit goroutine could concurrently access stopCh through the interrupt() function, potentially causing a double-close panic or data race.
• Added sync.Mutex to serialize stopCh access, and used a local variable currentStopCh to pass a stable channel reference to the Seal() call.

• Immediate upgrade is recommended. This release includes security patches for CVE-2026-26314 (DoS) and CVE-2026-26315 (node key leakage).

• This release maintains backward compatibility. Upgrading requires only a binary replacement with no configuration changes.

• Node key regeneration recommended: After upgrading, perform the following steps:Note that regenerating the node key will change the p2p node ID.

  # After stopping the node
  rm DATADIR/gmeme/nodekey
  # A new node key will be generated automatically on restart

  Note that regenerating the node key will change the p2p node ID.