How This Was Found
While building Fukuii and conducting cross-client validation for the Olympia upgrade, core developers ran compatibility tests against the upstream Core-Geth release available to node operators. The testing process surfaced what the commit history confirmed: upstream Core-Geth had not shipped a maintenance release in 21 months, had accumulated multiple unpatched CVEs, and was still shipping binaries built on Go 1.21 — a runtime version that reached end-of-life in August 2024.
Security disclosures sent to the upstream maintainer in February 2025 received no response. With Olympia requiring a reliable, patched client for network continuity, the ETC core development team brought Core-Geth forward under the ethereumclassic organization, applied all known patches, upgraded the Go toolchain to 1.26+, and released Core-Geth 1.13.0. We recommend all node operators update to this release.
CVE Gap Analysis
The following vulnerabilities were present in the upstream Core-Geth production release at the time of discovery. All have been patched in Core-Geth 1.13.0 at github.com/ethereumclassic/core-geth.
GHSA-4xc9-8hmq-j652CRITICALPATCHEDConsensus issue in EVM SELFDESTRUCT handling causing incorrect state transitions under specific contract interaction patterns
GHSA-7p92-x423-wg5mHIGHPATCHEDDoS via crafted p2p message causing unbounded memory allocation in devp2p layer
GHSA-rjjm-x32p-m3f7HIGHPATCHEDJSON-RPC denial of service via specially crafted RPC call causing excessive CPU consumption
GHSA-vf56-7gx4-qx8vMEDIUMPATCHEDTransaction pool manipulation via priority fee calculation edge case allowing queue displacement
GO-2024-3321HIGHPATCHEDGo 1.21 runtime vulnerability allowing net/http request smuggling via malformed Transfer-Encoding headers
Go Runtime End-of-Life
The upstream Core-Geth production release was built with Go 1.21, which reached end-of-life in August 2024. Go's release policy provides security patches only for the two most recent major versions. As of March 2026, Go 1.21 had been unsupported for 19 months.
Runtime vulnerabilities in Go's standard library (net/http, crypto/tls, encoding) affect all binaries compiled with the vulnerable toolchain, including Core-Geth. The GO-2024-3321 advisory above is one example; additional runtime CVEs exist in the Go vulnerability database.
Cross-client testing for Olympia surfaced this directly: Fukuii required Go 1.26+ for build compatibility, which made the toolchain gap between the two clients immediately visible. Core-Geth 1.13.0 at github.com/ethereumclassic/core-geth is built on Go 1.26+ (current stable).
Release Timeline
Core-Geth 1.12.19 released (Spiral hard fork)
Last upstream release
Go 1.21 reaches end-of-life
Build toolchain unsupported
GHSA-4xc9-8hmq-j652 disclosed (Critical)
No upstream response
Multiple CVEs accumulated, no security advisory published
18 months since last release
Security disclosures sent to upstream maintainer
No response received
Core-Geth 1.13.0 released at github.com/ethereumclassic/core-geth
All known CVEs patched, Go 1.26+
Risk Assessment
Multiple disclosed vulnerabilities remained unpatched in the upstream production release, including consensus and DoS vectors.
Mitigation: All known CVEs patched in Core-Geth 1.13.0 at github.com/ethereumclassic/core-geth.
Upstream Core-Geth was built on Go 1.21, which reached end-of-life in August 2024. Runtime vulnerabilities affect all compiled binaries.
Mitigation: Core-Geth 1.13.0 builds on Go 1.26+ (current stable).
No active maintainer. Unresponsive to security disclosures with no redundancy in core development. Effectively deprecated for two years.
Mitigation: Olympia introduces multi-client architecture (Fukuii, Core-Geth, Besu) with multi-maintainer review.
The 21-month gap between releases is the longest in the network's history. No maintenance releases, no security advisories published.
Mitigation: Olympia establishes protocol-funded maintenance through the Treasury (ECIP-1112).
Recommendations
- Node operators: Update to Core-Geth 1.13.0 from github.com/ethereumclassic/core-geth. This release includes all known security patches and is built on Go 1.26+.
- Mining operators: Evaluate Fukuii as the recommended long-term client for Proof-of-Work consensus and mining operations.
- Infrastructure providers: Consider running multiple client implementations (Fukuii, Core-Geth, Besu) for cross-validation and redundancy.
- Exchanges and custodians: Verify your ETC node is running a patched client before the Olympia hard fork activation.
Methodology
These findings emerged from cross-client compatibility work conducted during Fukuii development and Olympia upgrade preparation. Validation included reviewing the upstream go-ethereum security advisories (GitHub Advisory Database), the Go vulnerability database (vuln.go.dev), and the Core-Geth commit history from June 2023 through March 2026. Each CVE was verified against the Core-Geth codebase to confirm applicability to Ethereum Classic.
Core-Geth 1.13.0 was validated through Mordor testnet deployment, cross-client genesis hash verification, and automated test suites across all three Olympia client implementations.