CVE-2024-32972: 
Ethereum Geth vulnerability analysis and mitigation

Go-ethereum (geth), a golang execution layer implementation of the Ethereum protocol, was found to contain a vulnerability (CVE-2024-32972) that was disclosed on May 6, 2024. The vulnerability affects versions prior to 1.13.15, where a vulnerable node could be manipulated to consume excessive memory resources when processing specially crafted p2p messages (GitHub Advisory).

The vulnerability stems from an integer overflow issue in the handling of GetBlockHeadersRequest messages within the ETH protocol. When an attacker sends a malicious request with a count of 0, the calculation of 'count-1' results in UINT64_MAX being passed as the count argument to the GetHeadersFrom function. This bypasses the maxHeadersServe limit, enabling the request of all headers from the latest block back to the genesis block, leading to excessive memory consumption (GitHub Advisory). The vulnerability has been assigned a CVSS v3.1 base score of 7.5 HIGH (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) (NVD).

When exploited, this vulnerability allows an attacker to force a target node to consume very large amounts of memory through specially crafted p2p messages. The attack can be executed by establishing a peer connection to the victim and sending malicious GetBlockHeadersRequest messages, potentially leading to denial of service conditions (GitHub Advisory).

The vulnerability has been patched in go-ethereum version 1.13.15. Users are strongly advised to upgrade to this version or later. The fix was implemented through pull request #29534. No alternative workarounds have been made public (GitHub Advisory).