Skip to main content
← Olympia Hub
SECURITYMarch 2026

Core-Geth Security Gap Analysis

Assessment of the Core-Geth execution client covering the 21-month maintenance gap from February 2024 through April 2026 — the longest gap since the 2016 chain split.

Executive Summary

Ethereum Classic's primary execution client, Core-Geth, has not shipped a maintenance release in 21 months. During this period, multiple security vulnerabilities were disclosed in upstream go-ethereum and the Go runtime, none of which have been patched in the production release available to node operators.

The upstream repository has been unresponsive to security disclosures, with no active maintainer, no redundancy in core development, and no published security advisories. This represents a structural risk to the Ethereum Classic network.

For the Olympia transition, Core-Geth has been brought forward with all known security patches under the ethereumclassic organization. We recommend all node operators update to the patched release.

CVE Gap Analysis

The following vulnerabilities affect the current upstream Core-Geth production release. All have been patched in Core-Geth 1.13.0 maintained under the ethereumclassic organization.

GHSA-4xc9-8hmq-j652CRITICALPATCHED

Consensus issue in EVM SELFDESTRUCT handling — incorrect state transition under specific contract interaction patterns

Affected: Core-Geth ≤ 1.12.19Fix: Core-Geth 1.13.0 (ethereumclassic fork)
GHSA-7p92-x423-wg5mHIGHPATCHED

DoS via crafted p2p message — unbounded memory allocation in devp2p layer

Affected: Core-Geth ≤ 1.12.19Fix: Core-Geth 1.13.0 (ethereumclassic fork)
GHSA-rjjm-x32p-m3f7HIGHPATCHED

JSON-RPC denial of service — specially crafted RPC call causes excessive CPU consumption

Affected: Core-Geth ≤ 1.12.19Fix: Core-Geth 1.13.0 (ethereumclassic fork)
GHSA-vf56-7gx4-qx8vMEDIUMPATCHED

Transaction pool manipulation — priority fee calculation edge case allows queue displacement

Affected: Core-Geth ≤ 1.12.19Fix: Core-Geth 1.13.0 (ethereumclassic fork)
GO-2024-3321HIGHPATCHED

Go 1.21 runtime vulnerability — net/http request smuggling via malformed Transfer-Encoding headers

Affected: Go ≤ 1.21.x (Core-Geth build dependency)Fix: Go 1.24 (Core-Geth 1.13.0)

Go Runtime End-of-Life

The upstream Core-Geth production release is built with Go 1.21, which reached end-of-life in August 2024. Go's release policy provides security patches only for the two most recent major versions. As of March 2026, Go 1.21 has been unsupported for 19 months.

Runtime vulnerabilities in Go's standard library (net/http, crypto/tls, encoding) affect all binaries compiled with the vulnerable toolchain — including Core-Geth. The GO-2024-3321 advisory above is one example; additional runtime CVEs exist in the Go vulnerability database.

Core-Geth 1.13.0 under the ethereumclassic organization builds on Go 1.24 (current stable, supported through February 2027).

Release Timeline

June 2023

Core-Geth 1.12.19 released (Spiral hard fork)

Last upstream release

August 2024

Go 1.21 reaches end-of-life

Build toolchain unsupported

September 2024

GHSA-4xc9-8hmq-j652 disclosed (Critical)

No upstream response

December 2024

Multiple CVEs accumulated, no security advisory published

18 months since last release

February 2025

Security disclosures sent to upstream maintainer

No response received

March 2026

Core-Geth 1.13.0 released under ethereumclassic org

All known CVEs patched, Go 1.24

Risk Assessment

Unpatched CVEsCRITICAL

Multiple disclosed vulnerabilities remain unpatched in the upstream production release, including consensus and DoS vectors.

Mitigation: All known CVEs patched in Core-Geth 1.13.0 under the ethereumclassic organization.

Go Runtime EOLHIGH

Upstream Core-Geth builds on Go 1.21, which reached end-of-life in August 2024. Runtime vulnerabilities affect all compiled binaries.

Mitigation: Core-Geth 1.13.0 builds on Go 1.24 (current stable).

Single MaintainerHIGH

No active maintainer — unresponsive to security disclosures, no redundancy in core development. Effectively deprecated for two years.

Mitigation: Olympia introduces multi-client architecture (Fukuii, Core-Geth, Besu) with multi-maintainer review.

No Release CadenceMEDIUM

The 21-month gap between releases is the longest since the 2016 chain split. No maintenance releases, no security advisories published.

Mitigation: Olympia establishes protocol-funded maintenance through the Treasury (ECIP-1112).

Recommendations

  • Node operators: Update to Core-Geth 1.13.0 from the ethereumclassic/core-geth repository. This release includes all known security patches and is built on Go 1.24.
  • Mining operators: Evaluate Fukuii as the recommended long-term client for Proof-of-Work consensus and mining operations.
  • Infrastructure providers: Consider running multiple client implementations (Fukuii, Core-Geth, Besu) for cross-validation and redundancy.
  • Exchanges and custodians: Verify your ETC node is running a patched client before the Olympia hard fork activation.

Methodology

This analysis was conducted by reviewing the upstream go-ethereum security advisories (GitHub Advisory Database), the Go vulnerability database (vuln.go.dev), and the Core-Geth commit history from June 2023 through March 2026. Each CVE was verified against the Core-Geth codebase to confirm applicability to Ethereum Classic.

The patched Core-Geth 1.13.0 release was validated through Mordor testnet deployment, cross-client genesis hash verification, and automated test suites across all three Olympia client implementations.