Description
ZEBRA is a Zcash node written entirely in Rust. Prior to version 4.4.0, a composite denial-of-service vulnerability in Zebra's block discovery pipeline allows an unauthenticated remote attacker to permanently halt all new block discovery on a targeted node. The attack exploits three independent weaknesses in the gossip, syncer, and download subsystems — all exercisable from a single TCP connection — to create a monotonically growing block deficit that never self-heals. This issue has been patched in version 4.4.0.
Published: 2026-05-08
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This CVE demonstrates a denial‑of‑service vulnerability in Zebra’s block discovery pipeline that permits an unauthenticated remote attacker to permanently halt all new block discovery on a targeted node. The flaw arises from uncontrolled resource exhaustion (CWE‑770) within the gossip, syncer, and download subsystems, causing a monotonically increasing block deficit that never self‑heals. As a result, the affected node becomes unable to receive or process new blocks, essentially destroying its ability to stay in sync with the Zcash network.

Affected Systems

The vulnerability impacts the Zcash Foundation’s Zebra node software versions prior to 4.4.0. Any deployment of Zebra 4.3.x or earlier is susceptible, as the patch introducing protection was added in the 4.4.0 release.

Risk and Exploitability

The CVSS score of 8.7 indicates a high severity denial‑of‑service risk. No EPSS data is available, and the vulnerability is not recorded in the CISA KEV catalog. It is exploitable via a single TCP connection from an unauthenticated attacker, meaning that any external host able to reach the Zebra node can initiate the attack without credentials. The impact span is the entire block discovery process of the node, leading to network disconnect from its peers and loss of up‑to‑date block data.

Generated by OpenCVE AI on May 8, 2026 at 17:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Zebra to version 4.4.0 or later, which contains the fix for this denial‑of‑service attack.
  • If immediate upgrade is not possible, limit inbound connections to Zebra’s listening port and consider implementing IP filtering or firewall rules to restrict untrusted traffic from reaching the node.
  • After applying the patch or applying network restrictions, monitor the node’s block discovery logs for stalls or queue saturation and verify that new blocks resume arriving.

Generated by OpenCVE AI on May 8, 2026 at 17:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-h9hm-m2xj-4rq9 Zebra has Permanent Block Discovery Halt via Gossip Queue Saturation and Syncer Poisoning
History

Sat, 09 May 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Zcashfoundation
Zcashfoundation zebra
Vendors & Products Zcashfoundation
Zcashfoundation zebra

Fri, 08 May 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 08 May 2026 16:00:00 +0000

Type Values Removed Values Added
Description ZEBRA is a Zcash node written entirely in Rust. Prior to version 4.4.0, a composite denial-of-service vulnerability in Zebra's block discovery pipeline allows an unauthenticated remote attacker to permanently halt all new block discovery on a targeted node. The attack exploits three independent weaknesses in the gossip, syncer, and download subsystems — all exercisable from a single TCP connection — to create a monotonically growing block deficit that never self-heals. This issue has been patched in version 4.4.0.
Title ZEBRA: Permanent Block Discovery Halt via Gossip Queue Saturation and Syncer Poisoning
Weaknesses CWE-770
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Zcashfoundation Zebra
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-08T17:23:27.910Z

Reserved: 2026-05-06T18:28:20.886Z

Link: CVE-2026-44499

cve-icon Vulnrichment

Updated: 2026-05-08T17:23:24.967Z

cve-icon NVD

Status : Received

Published: 2026-05-08T16:16:13.117

Modified: 2026-05-08T16:16:13.117

Link: CVE-2026-44499

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T23:45:20Z

Weaknesses