Description
ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.4.0, prior to zebra-chain version 7.0.0, and prior to zebra-network version 6.0.0, several inbound deserialization paths in Zebra allocated buffers sized against generic transport or block-size ceilings before the tighter protocol or consensus limits were enforced. An unauthenticated or post-handshake peer could therefore force the node to preallocate and parse for orders of magnitude more data than the protocol intended, across headers messages, equihash solutions in block headers, Sapling spend vectors in V5/V4 transactions, and coinbase script bytes in blocks. This issue has been patched in zebrad version 4.4.0, zebra-chain version 7.0.0, and zebra-network version 6.0.0.
Published: 2026-05-08
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability manifests when inbound network deserialization in Zebra preallocates buffers based on generic transport ceilings before enforcing stricter protocol limits. An unauthenticated or post-handshake peer can force the node to allocate and parse data far exceeding intended limits across various message types, consuming excessive memory and potentially causing denial of service.

Affected Systems

Affected systems are the Zcash Foundation's Zebra node implementations. Prior to version 4.4.0 of the zebrad component, prior to 7.0.0 of zebra-chain, and prior to 6.0.0 of zebra-network, these allocation issues were present. The fix is available in those three component releases.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. No EPSS data is available and the vulnerability is not listed in CISA's KEV catalog, suggesting a lower exploitation likelihood. However, the attack can be carried out remotely over an inbound network connection from an unauthenticated or post-handshake peer, making it feasible for adversaries to trigger the allocation amplification and exhaust memory, leading to service disruption.

Generated by OpenCVE AI on May 8, 2026 at 17:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Zebra to zebrad 4.4.0, zebra-chain 7.0.0, or zebra-network 6.0.0 or later to apply the patch
  • Restrict inbound network connections to trusted peers or block traffic from unknown sources via firewall or VPN
  • Monitor node memory usage and enforce resource limits or restart services when abnormal spikes occur

Generated by OpenCVE AI on May 8, 2026 at 17:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-438q-jx8f-cccv Zebra Vulnerable to Allocation Amplification in Inbound Network Deserializers
History

Fri, 08 May 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Zcashfoundation
Zcashfoundation zebra
Vendors & Products Zcashfoundation
Zcashfoundation zebra

Fri, 08 May 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 08 May 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Zfnd
Zfnd zebra-chain
Zfnd zebra-network
Zfnd zebrad
CPEs cpe:2.3:a:zfnd:zebra-chain:*:*:*:*:*:rust:*:*
cpe:2.3:a:zfnd:zebra-network:*:*:*:*:*:rust:*:*
cpe:2.3:a:zfnd:zebrad:*:*:*:*:*:rust:*:*
Vendors & Products Zfnd
Zfnd zebra-chain
Zfnd zebra-network
Zfnd zebrad

Fri, 08 May 2026 15:15:00 +0000

Type Values Removed Values Added
Description ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.4.0, prior to zebra-chain version 7.0.0, and prior to zebra-network version 6.0.0, several inbound deserialization paths in Zebra allocated buffers sized against generic transport or block-size ceilings before the tighter protocol or consensus limits were enforced. An unauthenticated or post-handshake peer could therefore force the node to preallocate and parse for orders of magnitude more data than the protocol intended, across headers messages, equihash solutions in block headers, Sapling spend vectors in V5/V4 transactions, and coinbase script bytes in blocks. This issue has been patched in zebrad version 4.4.0, zebra-chain version 7.0.0, and zebra-network version 6.0.0.
Title ZEBRA: Allocation Amplification in Inbound Network Deserializers
Weaknesses CWE-770
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Zcashfoundation Zebra
Zfnd Zebra-chain Zebra-network Zebrad
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-08T19:41:46.471Z

Reserved: 2026-05-06T18:28:20.886Z

Link: CVE-2026-44500

cve-icon Vulnrichment

Updated: 2026-05-08T19:41:36.043Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-08T15:17:01.777

Modified: 2026-05-08T18:01:52.567

Link: CVE-2026-44500

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T22:30:18Z

Weaknesses