Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
6 vulnerabilities by ensdomains
CVE-2026-22866 (GCVE-0-2026-22866)
Vulnerability from nvd – Published: 2026-02-25 15:47 – Updated: 2026-02-25 20:34
VLAI
Title
ENS DNSSEC Oracle Vulnerable to RSA Signature Forgery via Missing PKCS#1 v1.5 Padding Validation
Summary
Ethereum Name Service (ENS) is a distributed, open, and extensible naming system based on the Ethereum blockchain. In versions 1.6.2 and prior, the `RSASHA256Algorithm` and `RSASHA1Algorithm` contracts fail to validate PKCS#1 v1.5 padding structure when verifying RSA signatures. The contracts only check if the last 32 (or 20) bytes of the decrypted signature match the expected hash. This enables Bleichenbacher's 2006 signature forgery attack against DNS zones using RSA keys with low public exponents (e=3). Two ENS-supported TLDs (.cc and .name) use e=3 for their Key Signing Keys, allowing any domain under these TLDs to be fraudulently claimed on ENS without DNS ownership. Apatch was merged at commit c76c5ad0dc9de1c966443bd946fafc6351f87587. Possible workarounds include deploying the patched contracts and pointing DNSSECImpl.setAlgorithm to the deployed contract.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-347 - Improper Verification of Cryptographic Signature
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/ensdomains/ens-contracts/secur… | x_refsource_CONFIRM |
| https://github.com/ensdomains/ens-contracts/commi… | x_refsource_MISC |
| https://github.com/ensdomains/ens-contracts-bug-6… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| ensdomains | ens-contracts |
Affected:
<= 1.6.2
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-22866",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-25T20:33:54.551584Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-25T20:34:05.144Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "ens-contracts",
"vendor": "ensdomains",
"versions": [
{
"status": "affected",
"version": "\u003c= 1.6.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Ethereum Name Service (ENS) is a distributed, open, and extensible naming system based on the Ethereum blockchain. In versions 1.6.2 and prior, the `RSASHA256Algorithm` and `RSASHA1Algorithm` contracts fail to validate PKCS#1 v1.5 padding structure when verifying RSA signatures. The contracts only check if the last 32 (or 20) bytes of the decrypted signature match the expected hash. This enables Bleichenbacher\u0027s 2006 signature forgery attack against DNS zones using RSA keys with low public exponents (e=3). Two ENS-supported TLDs (.cc and .name) use e=3 for their Key Signing Keys, allowing any domain under these TLDs to be fraudulently claimed on ENS without DNS ownership. Apatch was merged at commit c76c5ad0dc9de1c966443bd946fafc6351f87587. Possible workarounds include deploying the patched contracts and pointing DNSSECImpl.setAlgorithm to the deployed contract."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 2.7,
"baseSeverity": "LOW",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-347",
"description": "CWE-347: Improper Verification of Cryptographic Signature",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-25T15:47:16.230Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/ensdomains/ens-contracts/security/advisories/GHSA-c6rr-7pmc-73wc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ensdomains/ens-contracts/security/advisories/GHSA-c6rr-7pmc-73wc"
},
{
"name": "https://github.com/ensdomains/ens-contracts/commit/c76c5ad0dc9de1c966443bd946fafc6351f87587",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ensdomains/ens-contracts/commit/c76c5ad0dc9de1c966443bd946fafc6351f87587"
},
{
"name": "https://github.com/ensdomains/ens-contracts-bug-62248-pr-509",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ensdomains/ens-contracts-bug-62248-pr-509"
}
],
"source": {
"advisory": "GHSA-c6rr-7pmc-73wc",
"discovery": "UNKNOWN"
},
"title": "ENS DNSSEC Oracle Vulnerable to RSA Signature Forgery via Missing PKCS#1 v1.5 Padding Validation"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-22866",
"datePublished": "2026-02-25T15:47:16.230Z",
"dateReserved": "2026-01-12T16:20:16.746Z",
"dateUpdated": "2026-02-25T20:34:05.144Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-38698 (GCVE-0-2023-38698)
Vulnerability from nvd – Published: 2023-08-04 17:41 – Updated: 2024-10-03 18:13
VLAI
Title
.eth registrar controller can shorten the duration of registered names
Summary
Ethereum Name Service (ENS) is a distributed, open, and extensible naming system based on the Ethereum blockchain. According to the documentation, controllers are allowed to register new domains and extend the expiry of existing domains, but they cannot change the ownership or reduce the expiration time of existing domains. However, a preliminary analysis suggests that an attacker-controlled controller may be able to reduce the expiration time of existing domains due to an integer overflow in the renew function. The vulnerability resides `@ensdomains/ens-contracts` prior to version 0.0.22.
If successfully exploited, this vulnerability would enable attackers to force the expiration of any ENS record, ultimately allowing them to claim the affected domains for themselves. Currently, it would require a malicious DAO to exploit it. Nevertheless, any vulnerability present in the controllers could potentially render this issue exploitable in the future. An additional concern is the possibility of renewal discounts. Should ENS decide to implement a system that offers unlimited .eth domains for a fixed fee in the future, the vulnerability could become exploitable by any user due to the reduced attack cost.
Version 0.0.22 contains a patch for this issue. As long as registration cost remains linear or superlinear based on registration duration, or limited to a reasonable maximum (eg, 1 million years), this vulnerability could only be exploited by a malicious DAO. The interim workaround is thus to take no action.
Severity
4.9 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-190 - Integer Overflow or Wraparound
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/ensdomains/ens-contracts/secur… | x_refsource_CONFIRM |
| https://github.com/ensdomains/ens-contracts/commi… | x_refsource_MISC |
| https://github.com/ensdomains/ens-contracts/blob/… | x_refsource_MISC |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| ensdomains | ens-contracts |
Affected:
<= 0.0.21
|
|
| ens.domains | ethereum_name_service |
Affected:
0 , ≤ 0.0.21
(custom)
cpe:2.3:a:ens.domains:ethereum_name_service:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T17:46:56.811Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/ensdomains/ens-contracts/security/advisories/GHSA-rrxv-q8m4-wch3",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/ensdomains/ens-contracts/security/advisories/GHSA-rrxv-q8m4-wch3"
},
{
"name": "https://github.com/ensdomains/ens-contracts/commit/e6b136e979084de3761c125142620304173990ca",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ensdomains/ens-contracts/commit/e6b136e979084de3761c125142620304173990ca"
},
{
"name": "https://github.com/ensdomains/ens-contracts/blob/master/contracts/ethregistrar/BaseRegistrarImplementation.sol#L171",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ensdomains/ens-contracts/blob/master/contracts/ethregistrar/BaseRegistrarImplementation.sol#L171"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:ens.domains:ethereum_name_service:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "ethereum_name_service",
"vendor": "ens.domains",
"versions": [
{
"lessThanOrEqual": "0.0.21",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-38698",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-03T18:12:20.434166Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-03T18:13:44.326Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "ens-contracts",
"vendor": "ensdomains",
"versions": [
{
"status": "affected",
"version": "\u003c= 0.0.21"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Ethereum Name Service (ENS) is a distributed, open, and extensible naming system based on the Ethereum blockchain. According to the documentation, controllers are allowed to register new domains and extend the expiry of existing domains, but they cannot change the ownership or reduce the expiration time of existing domains. However, a preliminary analysis suggests that an attacker-controlled controller may be able to reduce the expiration time of existing domains due to an integer overflow in the renew function. The vulnerability resides `@ensdomains/ens-contracts` prior to version 0.0.22.\n\nIf successfully exploited, this vulnerability would enable attackers to force the expiration of any ENS record, ultimately allowing them to claim the affected domains for themselves. Currently, it would require a malicious DAO to exploit it. Nevertheless, any vulnerability present in the controllers could potentially render this issue exploitable in the future. An additional concern is the possibility of renewal discounts. Should ENS decide to implement a system that offers unlimited .eth domains for a fixed fee in the future, the vulnerability could become exploitable by any user due to the reduced attack cost.\n\nVersion 0.0.22 contains a patch for this issue. As long as registration cost remains linear or superlinear based on registration duration, or limited to a reasonable maximum (eg, 1 million years), this vulnerability could only be exploited by a malicious DAO. The interim workaround is thus to take no action.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-190",
"description": "CWE-190: Integer Overflow or Wraparound",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-04T17:41:14.426Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/ensdomains/ens-contracts/security/advisories/GHSA-rrxv-q8m4-wch3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ensdomains/ens-contracts/security/advisories/GHSA-rrxv-q8m4-wch3"
},
{
"name": "https://github.com/ensdomains/ens-contracts/commit/e6b136e979084de3761c125142620304173990ca",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ensdomains/ens-contracts/commit/e6b136e979084de3761c125142620304173990ca"
},
{
"name": "https://github.com/ensdomains/ens-contracts/blob/master/contracts/ethregistrar/BaseRegistrarImplementation.sol#L171",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ensdomains/ens-contracts/blob/master/contracts/ethregistrar/BaseRegistrarImplementation.sol#L171"
}
],
"source": {
"advisory": "GHSA-rrxv-q8m4-wch3",
"discovery": "UNKNOWN"
},
"title": ".eth registrar controller can shorten the duration of registered names"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-38698",
"datePublished": "2023-08-04T17:41:14.426Z",
"dateReserved": "2023-07-24T16:19:28.364Z",
"dateUpdated": "2024-10-03T18:13:44.326Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-5232 (GCVE-0-2020-5232)
Vulnerability from nvd – Published: 2020-01-30 23:55 – Updated: 2024-08-04 08:22
VLAI
Title
Ethereum Name Service - Malicious takeover of previously owned ENS names
Summary
A user who owns an ENS domain can set a trapdoor, allowing them to transfer ownership to another user, and later regain ownership without the new owners consent or awareness. A new ENS deployment is being rolled out that fixes this vulnerability in the ENS registry.
Severity
8.7 (High)
CWE
- CWE-285 - Improper Authorization
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/ensdomains/ens/security/adviso… | x_refsource_CONFIRM |
| https://github.com/ensdomains/ens/commit/36e10e71… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| ensdomains | @ensdomains/ens |
Affected:
< 0.4.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T08:22:09.005Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/ensdomains/ens/security/advisories/GHSA-8f9f-pc5v-9r5h"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ensdomains/ens/commit/36e10e71fcddcade88646821e0a57cc6c19e1ecf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "@ensdomains/ens",
"vendor": "ensdomains",
"versions": [
{
"status": "affected",
"version": "\u003c 0.4.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A user who owns an ENS domain can set a trapdoor, allowing them to transfer ownership to another user, and later regain ownership without the new owners consent or awareness. A new ENS deployment is being rolled out that fixes this vulnerability in the ENS registry."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285: Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-01-30T23:55:13.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ensdomains/ens/security/advisories/GHSA-8f9f-pc5v-9r5h"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ensdomains/ens/commit/36e10e71fcddcade88646821e0a57cc6c19e1ecf"
}
],
"source": {
"advisory": "GHSA-8f9f-pc5v-9r5h",
"discovery": "UNKNOWN"
},
"title": "Ethereum Name Service - Malicious takeover of previously owned ENS names",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-5232",
"STATE": "PUBLIC",
"TITLE": "Ethereum Name Service - Malicious takeover of previously owned ENS names"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "@ensdomains/ens",
"version": {
"version_data": [
{
"version_value": "\u003c 0.4.0"
}
]
}
}
]
},
"vendor_name": "ensdomains"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A user who owns an ENS domain can set a trapdoor, allowing them to transfer ownership to another user, and later regain ownership without the new owners consent or awareness. A new ENS deployment is being rolled out that fixes this vulnerability in the ENS registry."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-285: Improper Authorization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/ensdomains/ens/security/advisories/GHSA-8f9f-pc5v-9r5h",
"refsource": "CONFIRM",
"url": "https://github.com/ensdomains/ens/security/advisories/GHSA-8f9f-pc5v-9r5h"
},
{
"name": "https://github.com/ensdomains/ens/commit/36e10e71fcddcade88646821e0a57cc6c19e1ecf",
"refsource": "MISC",
"url": "https://github.com/ensdomains/ens/commit/36e10e71fcddcade88646821e0a57cc6c19e1ecf"
}
]
},
"source": {
"advisory": "GHSA-8f9f-pc5v-9r5h",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-5232",
"datePublished": "2020-01-30T23:55:13.000Z",
"dateReserved": "2020-01-02T00:00:00.000Z",
"dateUpdated": "2024-08-04T08:22:09.005Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2026-22866 (GCVE-0-2026-22866)
Vulnerability from cvelistv5 – Published: 2026-02-25 15:47 – Updated: 2026-02-25 20:34
VLAI
Title
ENS DNSSEC Oracle Vulnerable to RSA Signature Forgery via Missing PKCS#1 v1.5 Padding Validation
Summary
Ethereum Name Service (ENS) is a distributed, open, and extensible naming system based on the Ethereum blockchain. In versions 1.6.2 and prior, the `RSASHA256Algorithm` and `RSASHA1Algorithm` contracts fail to validate PKCS#1 v1.5 padding structure when verifying RSA signatures. The contracts only check if the last 32 (or 20) bytes of the decrypted signature match the expected hash. This enables Bleichenbacher's 2006 signature forgery attack against DNS zones using RSA keys with low public exponents (e=3). Two ENS-supported TLDs (.cc and .name) use e=3 for their Key Signing Keys, allowing any domain under these TLDs to be fraudulently claimed on ENS without DNS ownership. Apatch was merged at commit c76c5ad0dc9de1c966443bd946fafc6351f87587. Possible workarounds include deploying the patched contracts and pointing DNSSECImpl.setAlgorithm to the deployed contract.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-347 - Improper Verification of Cryptographic Signature
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/ensdomains/ens-contracts/secur… | x_refsource_CONFIRM |
| https://github.com/ensdomains/ens-contracts/commi… | x_refsource_MISC |
| https://github.com/ensdomains/ens-contracts-bug-6… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| ensdomains | ens-contracts |
Affected:
<= 1.6.2
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-22866",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-25T20:33:54.551584Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-25T20:34:05.144Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "ens-contracts",
"vendor": "ensdomains",
"versions": [
{
"status": "affected",
"version": "\u003c= 1.6.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Ethereum Name Service (ENS) is a distributed, open, and extensible naming system based on the Ethereum blockchain. In versions 1.6.2 and prior, the `RSASHA256Algorithm` and `RSASHA1Algorithm` contracts fail to validate PKCS#1 v1.5 padding structure when verifying RSA signatures. The contracts only check if the last 32 (or 20) bytes of the decrypted signature match the expected hash. This enables Bleichenbacher\u0027s 2006 signature forgery attack against DNS zones using RSA keys with low public exponents (e=3). Two ENS-supported TLDs (.cc and .name) use e=3 for their Key Signing Keys, allowing any domain under these TLDs to be fraudulently claimed on ENS without DNS ownership. Apatch was merged at commit c76c5ad0dc9de1c966443bd946fafc6351f87587. Possible workarounds include deploying the patched contracts and pointing DNSSECImpl.setAlgorithm to the deployed contract."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 2.7,
"baseSeverity": "LOW",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-347",
"description": "CWE-347: Improper Verification of Cryptographic Signature",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-25T15:47:16.230Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/ensdomains/ens-contracts/security/advisories/GHSA-c6rr-7pmc-73wc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ensdomains/ens-contracts/security/advisories/GHSA-c6rr-7pmc-73wc"
},
{
"name": "https://github.com/ensdomains/ens-contracts/commit/c76c5ad0dc9de1c966443bd946fafc6351f87587",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ensdomains/ens-contracts/commit/c76c5ad0dc9de1c966443bd946fafc6351f87587"
},
{
"name": "https://github.com/ensdomains/ens-contracts-bug-62248-pr-509",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ensdomains/ens-contracts-bug-62248-pr-509"
}
],
"source": {
"advisory": "GHSA-c6rr-7pmc-73wc",
"discovery": "UNKNOWN"
},
"title": "ENS DNSSEC Oracle Vulnerable to RSA Signature Forgery via Missing PKCS#1 v1.5 Padding Validation"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-22866",
"datePublished": "2026-02-25T15:47:16.230Z",
"dateReserved": "2026-01-12T16:20:16.746Z",
"dateUpdated": "2026-02-25T20:34:05.144Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-38698 (GCVE-0-2023-38698)
Vulnerability from cvelistv5 – Published: 2023-08-04 17:41 – Updated: 2024-10-03 18:13
VLAI
Title
.eth registrar controller can shorten the duration of registered names
Summary
Ethereum Name Service (ENS) is a distributed, open, and extensible naming system based on the Ethereum blockchain. According to the documentation, controllers are allowed to register new domains and extend the expiry of existing domains, but they cannot change the ownership or reduce the expiration time of existing domains. However, a preliminary analysis suggests that an attacker-controlled controller may be able to reduce the expiration time of existing domains due to an integer overflow in the renew function. The vulnerability resides `@ensdomains/ens-contracts` prior to version 0.0.22.
If successfully exploited, this vulnerability would enable attackers to force the expiration of any ENS record, ultimately allowing them to claim the affected domains for themselves. Currently, it would require a malicious DAO to exploit it. Nevertheless, any vulnerability present in the controllers could potentially render this issue exploitable in the future. An additional concern is the possibility of renewal discounts. Should ENS decide to implement a system that offers unlimited .eth domains for a fixed fee in the future, the vulnerability could become exploitable by any user due to the reduced attack cost.
Version 0.0.22 contains a patch for this issue. As long as registration cost remains linear or superlinear based on registration duration, or limited to a reasonable maximum (eg, 1 million years), this vulnerability could only be exploited by a malicious DAO. The interim workaround is thus to take no action.
Severity
4.9 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-190 - Integer Overflow or Wraparound
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/ensdomains/ens-contracts/secur… | x_refsource_CONFIRM |
| https://github.com/ensdomains/ens-contracts/commi… | x_refsource_MISC |
| https://github.com/ensdomains/ens-contracts/blob/… | x_refsource_MISC |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| ensdomains | ens-contracts |
Affected:
<= 0.0.21
|
|
| ens.domains | ethereum_name_service |
Affected:
0 , ≤ 0.0.21
(custom)
cpe:2.3:a:ens.domains:ethereum_name_service:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T17:46:56.811Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/ensdomains/ens-contracts/security/advisories/GHSA-rrxv-q8m4-wch3",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/ensdomains/ens-contracts/security/advisories/GHSA-rrxv-q8m4-wch3"
},
{
"name": "https://github.com/ensdomains/ens-contracts/commit/e6b136e979084de3761c125142620304173990ca",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ensdomains/ens-contracts/commit/e6b136e979084de3761c125142620304173990ca"
},
{
"name": "https://github.com/ensdomains/ens-contracts/blob/master/contracts/ethregistrar/BaseRegistrarImplementation.sol#L171",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ensdomains/ens-contracts/blob/master/contracts/ethregistrar/BaseRegistrarImplementation.sol#L171"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:ens.domains:ethereum_name_service:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "ethereum_name_service",
"vendor": "ens.domains",
"versions": [
{
"lessThanOrEqual": "0.0.21",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-38698",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-03T18:12:20.434166Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-03T18:13:44.326Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "ens-contracts",
"vendor": "ensdomains",
"versions": [
{
"status": "affected",
"version": "\u003c= 0.0.21"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Ethereum Name Service (ENS) is a distributed, open, and extensible naming system based on the Ethereum blockchain. According to the documentation, controllers are allowed to register new domains and extend the expiry of existing domains, but they cannot change the ownership or reduce the expiration time of existing domains. However, a preliminary analysis suggests that an attacker-controlled controller may be able to reduce the expiration time of existing domains due to an integer overflow in the renew function. The vulnerability resides `@ensdomains/ens-contracts` prior to version 0.0.22.\n\nIf successfully exploited, this vulnerability would enable attackers to force the expiration of any ENS record, ultimately allowing them to claim the affected domains for themselves. Currently, it would require a malicious DAO to exploit it. Nevertheless, any vulnerability present in the controllers could potentially render this issue exploitable in the future. An additional concern is the possibility of renewal discounts. Should ENS decide to implement a system that offers unlimited .eth domains for a fixed fee in the future, the vulnerability could become exploitable by any user due to the reduced attack cost.\n\nVersion 0.0.22 contains a patch for this issue. As long as registration cost remains linear or superlinear based on registration duration, or limited to a reasonable maximum (eg, 1 million years), this vulnerability could only be exploited by a malicious DAO. The interim workaround is thus to take no action.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-190",
"description": "CWE-190: Integer Overflow or Wraparound",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-04T17:41:14.426Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/ensdomains/ens-contracts/security/advisories/GHSA-rrxv-q8m4-wch3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ensdomains/ens-contracts/security/advisories/GHSA-rrxv-q8m4-wch3"
},
{
"name": "https://github.com/ensdomains/ens-contracts/commit/e6b136e979084de3761c125142620304173990ca",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ensdomains/ens-contracts/commit/e6b136e979084de3761c125142620304173990ca"
},
{
"name": "https://github.com/ensdomains/ens-contracts/blob/master/contracts/ethregistrar/BaseRegistrarImplementation.sol#L171",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ensdomains/ens-contracts/blob/master/contracts/ethregistrar/BaseRegistrarImplementation.sol#L171"
}
],
"source": {
"advisory": "GHSA-rrxv-q8m4-wch3",
"discovery": "UNKNOWN"
},
"title": ".eth registrar controller can shorten the duration of registered names"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-38698",
"datePublished": "2023-08-04T17:41:14.426Z",
"dateReserved": "2023-07-24T16:19:28.364Z",
"dateUpdated": "2024-10-03T18:13:44.326Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-5232 (GCVE-0-2020-5232)
Vulnerability from cvelistv5 – Published: 2020-01-30 23:55 – Updated: 2024-08-04 08:22
VLAI
Title
Ethereum Name Service - Malicious takeover of previously owned ENS names
Summary
A user who owns an ENS domain can set a trapdoor, allowing them to transfer ownership to another user, and later regain ownership without the new owners consent or awareness. A new ENS deployment is being rolled out that fixes this vulnerability in the ENS registry.
Severity
8.7 (High)
CWE
- CWE-285 - Improper Authorization
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/ensdomains/ens/security/adviso… | x_refsource_CONFIRM |
| https://github.com/ensdomains/ens/commit/36e10e71… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| ensdomains | @ensdomains/ens |
Affected:
< 0.4.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T08:22:09.005Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/ensdomains/ens/security/advisories/GHSA-8f9f-pc5v-9r5h"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ensdomains/ens/commit/36e10e71fcddcade88646821e0a57cc6c19e1ecf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "@ensdomains/ens",
"vendor": "ensdomains",
"versions": [
{
"status": "affected",
"version": "\u003c 0.4.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A user who owns an ENS domain can set a trapdoor, allowing them to transfer ownership to another user, and later regain ownership without the new owners consent or awareness. A new ENS deployment is being rolled out that fixes this vulnerability in the ENS registry."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285: Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-01-30T23:55:13.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ensdomains/ens/security/advisories/GHSA-8f9f-pc5v-9r5h"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ensdomains/ens/commit/36e10e71fcddcade88646821e0a57cc6c19e1ecf"
}
],
"source": {
"advisory": "GHSA-8f9f-pc5v-9r5h",
"discovery": "UNKNOWN"
},
"title": "Ethereum Name Service - Malicious takeover of previously owned ENS names",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-5232",
"STATE": "PUBLIC",
"TITLE": "Ethereum Name Service - Malicious takeover of previously owned ENS names"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "@ensdomains/ens",
"version": {
"version_data": [
{
"version_value": "\u003c 0.4.0"
}
]
}
}
]
},
"vendor_name": "ensdomains"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A user who owns an ENS domain can set a trapdoor, allowing them to transfer ownership to another user, and later regain ownership without the new owners consent or awareness. A new ENS deployment is being rolled out that fixes this vulnerability in the ENS registry."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-285: Improper Authorization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/ensdomains/ens/security/advisories/GHSA-8f9f-pc5v-9r5h",
"refsource": "CONFIRM",
"url": "https://github.com/ensdomains/ens/security/advisories/GHSA-8f9f-pc5v-9r5h"
},
{
"name": "https://github.com/ensdomains/ens/commit/36e10e71fcddcade88646821e0a57cc6c19e1ecf",
"refsource": "MISC",
"url": "https://github.com/ensdomains/ens/commit/36e10e71fcddcade88646821e0a57cc6c19e1ecf"
}
]
},
"source": {
"advisory": "GHSA-8f9f-pc5v-9r5h",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-5232",
"datePublished": "2020-01-30T23:55:13.000Z",
"dateReserved": "2020-01-02T00:00:00.000Z",
"dateUpdated": "2024-08-04T08:22:09.005Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}