Description
ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.3.0 and zebra-network version 5.0.1, when deserializing addr or addrv2 messages, which contain vectors of addresses, Zebra would fully deserialize them up to a maximum length (over 233,000) that was derived from the 2 MiB message size limit. This is much larger than the actual limit of 1,000 messages from the specification. Zebra would eventually check that limit but, at that point, the memory for the larger vector was already allocated. An attacker could cause out-of-memory aborts in Zebra by sending multiple such messages over different connections. This vulnerability is fixed in zebrad version 4.3.0 and zebra-network version 5.0.1.
Published: 2026-04-21
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service through out-of-memory exhaustion
Action: Patch Now
AI Analysis

Impact

Zcash Foundation’s Zebra node implementation contains a resource exhaustion vulnerability: while deserializing addr and addrv2 P2P messages Zebra allocates a vector capacity based on a 2 MiB message limit, allowing more than 233,000 addresses even though the protocol caps the list at 1,000. This memory is committed before the upper bound is enforced, so an attacker who sends many such messages over multiple connections can exhaust the node’s heap and trigger an out‑of‑memory abort, causing a denial of service. The flaw is a classic CWE‑770 scenario.

Affected Systems

The problem exists in zebrad releases prior to v4.3.0 and in zebra‑network releases before v5.0.1. Any node running those legacy versions and accepting external addr/addrv2 messages is at risk. Versions v4.3.0 of zebrad and v5.0.1 of zebra‑network contain the fix.

Risk and Exploitability

The CVSS score of 6.3 places the vulnerability in the high severity range. The EPSS score is not available and the issue is not listed in CISA’s KEV catalog, implying that known exploitation activity is either low or not documented. Nevertheless, the flaw can be triggered remotely over untrusted network connections with no authentication, making it potentially exploitable by anyone who can reach the node. Attacking such a node would involve sending large addr/addrv2 messages on multiple connections to drain memory, and the lack of built‑in mitigation in affected releases keeps the risk significant until the patch is applied.

Generated by OpenCVE AI on April 22, 2026 at 05:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade zebrad to version 4.3.0 or later and zebra‑network to version 5.0.1 or later; this removes the ability to allocate oversized address vectors.
  • Restart the zebrad and zebra‑network services after upgrading to ensure the new code is loaded.
  • Configure network-level rate limiting or firewall rules to restrict the number of addr/addrv2 messages accepted from untrusted peers, reducing the chance of memory exhaustion even if an older version is still running for legacy reasons.

Generated by OpenCVE AI on April 22, 2026 at 05:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-xr93-pcq3-pxf8 Zebra: addr/addrv2 Deserialization Resource Exhaustion
History

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Zcashfoundation
Zcashfoundation zebra-network
Zcashfoundation zebrad
Vendors & Products Zcashfoundation
Zcashfoundation zebra-network
Zcashfoundation zebrad

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.3.0 and zebra-network version 5.0.1, when deserializing addr or addrv2 messages, which contain vectors of addresses, Zebra would fully deserialize them up to a maximum length (over 233,000) that was derived from the 2 MiB message size limit. This is much larger than the actual limit of 1,000 messages from the specification. Zebra would eventually check that limit but, at that point, the memory for the larger vector was already allocated. An attacker could cause out-of-memory aborts in Zebra by sending multiple such messages over different connections. This vulnerability is fixed in zebrad version 4.3.0 and zebra-network version 5.0.1.
Title Zebra: addr/addrv2 Deserialization Resource Exhaustion
Weaknesses CWE-770
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Subscriptions

Zcashfoundation Zebra-network Zebrad
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-21T20:36:18.824Z

Reserved: 2026-04-15T15:57:41.719Z

Link: CVE-2026-40881

cve-icon Vulnrichment

Updated: 2026-04-21T19:52:03.611Z

cve-icon NVD

Status : Received

Published: 2026-04-21T20:17:01.850

Modified: 2026-04-21T21:16:43.613

Link: CVE-2026-40881

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T11:45:44Z

Weaknesses