fix(deps): update module github.com/ethereum/go-ethereum to v1.17.0 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/ethereum/go-ethereum	v1.16.8 → v1.17.0

GitHub Vulnerability Alerts

CVE-2026-26313

Impact

An attacker can cause high memory usage by sending a specially-crafted p2p message.
More details to be released later.

Patches

The issue is resolved in the v1.17.0 release.

Credit

This issue was reported to the Ethereum Foundation Bug Bounty Program by @​revofusion

CVE-2026-26314

Impact

A vulnerable node can be forced to shutdown/crash using a specially crafted message.
More details to be released later.

Patches

The problem is resolved in the v1.16.9 and v1.17.0 releases of Geth.

Credit

This issue was reported to the Ethereum Foundation Bug Bounty Program by Waleed Ahmed from vulsight.com

CVE-2026-26315

Impact

Through a flaw in the ECIES cryptography implementation, an attacker may be able to extract bits of the p2p node key.

Patches

The issue is resolved in the v1.16.9 and v1.17.0 releases of Geth. We recommend rotating the node key after applying the upgrade, which can be done by removing the file <datadir>/geth/nodekey before starting Geth.

Credit

The issue was reported as a public pull request to go-ethereum by @​fengjian.

---

Release Notes

ethereum/go-ethereum (github.com/ethereum/go-ethereum)

v1.17.0: Eezo-Inlaid Circuitry (v1.17.0)

Compare Source

This is a feature release, with all accumulated development from the last 3 months. See below for the highlights.

Note that this release contains multiple critical security fixes, as well as many bug fixes, and is recommended for all users. However, if you are cautious about upgrades, you can also install v1.16.9 which has just the critical security fixes. Specifically, this release fixes CVE-2026-26313, CVE-2026-26314, CVE-2026-26315.

We recommend recreating your p2p node key after installing this update, which you can do by removing the DATADIR/geth/nodekey file before restarting geth. Note this will cause a change in the p2p node ID, which may break static peering setups.

Highlights

Path-based Archive Node with Proofs

The path-based archive node can now serve proofs (via eth_getProof) for the state of older blocks.

You can configure the block range that supports proving independently from other archive state availability. Specifically, you can use the --history.trienode command-line flag to set the amount of blocks for which tree nodes will be tracked.

This feature is disabled by default. Note that state history cannot easily be recovered once deleted, as it can only be generated by processing blocks. However, you can enable trienode history (and/or state history) at any time to turn a full node into a partial archive node, keeping state from that point in time onwards.

#​32727, #​32621, #​33551, #​32981, #​33399, #​32913, #​33303, #​33584, #​33329, #​33681, #​33103, #​33098, #​33515, #​32247

EraE History Support

Geth now suports the EraE file format, an archival format for post-merge chain history.

#​32157, #​33827

OpenTelemetry Tracing

OpenTelemetry tracing is now supported by the RPC server, including support for distributed tracing.
We have also added some tracing spans for block processing via the engine API, i.e. engine_newPayload.

#​33599, #​33452, #​33780, #​33521

All Changes

Geth CLI

• The geth version-check subcommand has been removed. This command checked the geth website for signed vulnerability notices, and would tell if updates are necessary (#​33498)
• There is now a --miner.maxblobs command-line flag to set a limit on blobs included in built blocks (#​33129, #​33302)
• Geth now supports continuous profiling with Grafana Pyroscope (#​33623)
• A rare bug that could halt block production in geth --dev mode was fixed (#​33146)
• A new --rpc.rangelimit flag configures the maximum block range for eth_getLogs (#​33163)
• geth --exitwhensynced will now set the finalized and safe block (#​33038)
• geth --ethstats now reports the newPayload processing time to the stats server (#​33395)
• A lot of minor issues in Geth's command-line flag processing have been fixed (#​33379, #​33338, #​33330, #​32999, #​33279, #​33252)
• The evm blocktest command can now read filenames from stdin when no path is provided (#​32824)

Fork Implementation

• EIP-8024: Backward compatible SWAPN, DUPN, EXCHANGE (#​33095, #​33787, #​33614, #​33361)
• We have implemented engine_getBlobsV3 (#​33404, #​33444)
• The engine API now rejects calls with wrong payload version (#​32754, #​33322)
• blsync has been updated for Fusaka (#​33349, #​33272, #​33065, #​32674)
• Some work towards the migration of state to a binary tree has landed, and this replaces the Verkle Tree implementation (#​33807, #​33739, #​33694, #​32445, #​33461)
• Some access list semantics have been fixed while working on EIP-7928 Block-Level Access Lists (#​33281, #​33637, #​33450)

Core

• The crypto/ecies library allowed extraction of the private key used for key derivation via observation of response timing. We recommend rotating the node key after applying this update. (#​33669)
• When a missing block is encountered during tx unindexing, Geth will now skip it and move on instead of entering an infinite loop. (#​33573)
• Geth now optionally collect and export metrics about the total state size (#​33254, #​33376, #​33415)
• There is a new OnStateUpdate hook, which is called after all state of a block has been committed. This gives access to the changeset of the block. (#​33490)
• Some minor tracing bugs have been fixed (#​32919, #​33148, #​33644, #​33214)
• Various minor issues in the freezer database have also been fixed (#​33747, #​33025, #​33203, #​33344)
• The setHead operation now unsets the finalized block, in cases where the rolled-back block range extends before it. (#​33486)
• The SignatureValues method of types.Signer now reports an error for invalid signature sizes (#​33647)
• Geth prints detailed log messages for 'slow blocks' (#​33655, #​33525, #​33442, #​32812, #​33659, #​33532)
• Pebble configuration has been tweaked for improved performance (#​33697, #​33353, #​33315)
• A rare crash in the log indexer related to reorg handling has been fixed (#​33810)
• Internal state diff size accounting has been corrected, so state diffs will now be flushed to the disk store less often (#​33505)
• Since the keccak256 hash function variant used by Ethereum no longer has a fast-path in the standard library, we have vendored the keccak implementation back into our repository (#​33323)

Library

• The RLP library now has a RawList type for dealing with un-decoded lists in a more convenient way (#​33755, #​33834, #​33840, #​33841)
• The low-level RLP iterator and uses of it have been improved (#​33245, #​33188, #​33820)
• Clef can now sign blob transactions with cell proofs (#​32910)
• Fixed some corner-case bugs in metrics exporting (#​33749, #​33748)
• The hardware wallet library now supports the Ledger Nano Gen5 and correctly enables EIP-712 signing for all supported versions. (#​33297, #​33113)
• SignTextWithPassphrase now works correctly with all supported hardware wallets (#​33138)
• Some minor bugs were fixed in the keystore implementation (#​33606, #​33602, #​33090)
• The bitutil.XORBytes function has been deprecated in favor of stdlib package crypto/subtle (#​33331)
• A memory leak in the beacon chain light client was fixed (#​33483)

RPC

• eth_getTransactionByHash now returns the blockTimestamp as part of the transaction object (#​33709)
• Error codes for some conditions in eth_simulateV1, eth_getLogs, eth_getStorageAt have been improved to better comply with the execution RPC spec (#​33007, #​33320, #​33282)
• eth_simulateV1 now selects the correct set of precompiles for the simulated header (#​33363)
• eth_sendTransaction and eth_fillTransaction now default to EIP-1559 (#​33058)
• The GraphQL implementation has received some bug fixes for cases where a resolved item is not found. (#​33184, #​33225)
• In GraphQL, the gasPrice is now retrievable for transaction types 0x3 and 0x4 (#​33542)
• The RPC server now enables plain-text HTTP2 for improved performance (#​33812)
• The RPC client no longer sends spurious RST_STREAM HTTP2 frames (#​33122)
• Some minor JSON encoding bugs have been fixed in ethclient (#​33693, #​33242, #​33464)
• The gethclient has a new wrapper of the callTracer (#​31510)
• In the callTracer, reported logs now contain an index field which is the index of the log within the transaction (#​33629)

P2P Networking

• The transaction pool heartbeat mechanism had some fixes for potential resource leaks (#​33704)
• The eth and snap protocol implementations nows validates most p2p messages before decoding their content. This improves security and sync performance in some cases. (#​33835)
• The blob transaction pool has seen some bug fixes and now accepts nonce-gapped transactions to a very limited extent (#​32717, #​33775, #​33474, #​33352, #​33301, #​33260)
• Snap sync status is now tracked better, ensuring a snap sync will not be triggered accidentally by the engine API (#​33157)
• The snap sync scheduler was improved to better protect the trie database against accidential mutations while the node is processing blocks. This resolves some edge cases where the database could be corrupted (#​33428)
• The header sync implementation was fixed to better deal with setHead operations during sync (#​33481)
• Peer connections delivering stale transactions will be penalized less, since delivery of a few stale transactions is a common occurrence. (#​32725)
• Peers announcing transactions of one type, and delivering a different type, are now disconnected as penalty (#​33378)
• Similarly, peers delivering invalid KZG proofs will now be disconnected (5b99d2b)
• The transaction pool has new metrics for the number of accounts with transactions (#​33646, #​33654)

For a full rundown of the changes please consult the Geth 1.17.0 release milestone.

---

As with all our previous releases, you can find the:

• Pre-built binaries for all platforms on our downloads page.
• Docker images published under ethereum/client-go (use "stable" tag).
• Ubuntu packages in our Launchpad PPA repository.
• macOS packages in our Homebrew Tap repository.

v1.16.9: Shield Focusing Module (v1.16.9)

Compare Source

This is a security hot-fix release. Specifically, this release fixes CVE-2026-26314, CVE-2026-26315.

We recommend recreating your p2p node key after installing this update, which you can do by removing the DATADIR/geth/nodekey file before restarting geth. Note this will cause a change in the p2p node ID, which may break static peering setups.

---

As with all our previous releases, you can find the:

• Pre-built binaries for all platforms on our downloads page.
• Docker images published under ethereum/client-go (use "stable" tag).
• Ubuntu packages in our Launchpad PPA repository.
• macOS packages in our Homebrew Tap repository.

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[robinshen36]

@algora-pbc attempt

Hi! I'd like to work on this.

My approach:
I'll analyze the requirements and implement a robust solution following the project's standards. I have experience with the relevant technologies and will ensure the code is well-tested and documented.

Estimated time: 2-5 days

Why me:

• Strong technical background
• Experience with open source contributions
• Focus on quality and timely delivery

I'll have a PR ready soon!