Skip to main content

CVE-2026-40881

MEDIUM
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-04-18 https://github.com/ZcashFoundation/zebra GHSA-xr93-pcq3-pxf8
Denial Of Service Deserialization
6.3
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
CVSS changed
Apr 21, 2026 - 20:22 NVD
6.3 (MEDIUM)
Patch released
Apr 18, 2026 - 02:30 nvd
Patch available
Analysis Generated
Apr 18, 2026 - 00:55 vuln.today
Analysis Generated
Apr 18, 2026 - 00:45 vuln.today
CVE Published
Apr 18, 2026 - 00:42 nvd
MEDIUM 6.3

DescriptionGitHub Advisory

CVE-2026-40881: addr/addrv2 Deserialization Resource Exhaustion

Summary

When deserializing addr or addrv2 messages, which contain vectors of addresses, Zebra would fully deserialize them up to a maximum length (over 233,000) that was derived from the 2 MiB message size limit. This is much larger than the actual limit of 1,000 messages from the specification. Zebra would eventually check that limit but, at that point, the memory for the larger vector was already allocated. An attacker could cause out-of-memory aborts in Zebra by sending multiple such messages over different connections.

Severity

Moderate - This is a Denial of Service Vulnerability that could allow an attacker to crash a Zebra node.

Affected Versions

All Zebra versions prior to version 4.3.1.

Description

The vulnerability exists in the read_addr/addrv2 functions in codec.rs. It deserializes a vector of addresses with the zcash_deserialize() trait method, which uses as a upper bound the result of T::max_allocation(). For theses types, it was derived from dividing the max message size (2 MiB) by the minimum serialized size of one entry. For AddrV1: 2_097_152 / 30 = 69,904. For AddrV2: 2_097_152 / 9 = 233,016. Only after deserialization was the MAX_ADDRS_IN_MESSAGE = 1000 limit checked.

An attacker could exploit this by:

  1. Creating addr or addrv2 messages with a large number of entries.
  2. Submitting them to a Zebra node, possibly through multiple connections, to attempt to get Zebra into an out-of-memory state.

Impact

Denial of Service

  • Attack Vector: Network.
  • Effect: Zebra node crash.
  • Scope: Any impacted Zebra node.

Fixed Versions

This issue is fixed in Zebra 4.3.1.

The fix changes the max_allocation() method for the relevant types to return 1,000, thus blocking larger values prior to deserialization.

Mitigation

Users should upgrade to Zebra 4.3.1 or later immediately.

There are no known workarounds for this issue. Immediate upgrade is the only way to ensure the node remains not vulnerable to the denial of service attack.

Credits

Thanks @Zk-nd3r for finding and reporting the issue, and suggesting the fix.

AnalysisAI

Zebra cryptocurrency node prior to version 4.3.1 allocates excessive memory (up to 233,016 addresses) when deserializing addr/addrv2 protocol messages, even though the specification limits messages to 1,000 addresses. An attacker can trigger out-of-memory crashes by sending multiple oversized address messages over different connections. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Open network connection to Zebra node
Delivery
Craft oversized addr message with 233,016 entries
Exploit
Send message to trigger pre-allocation
Execution
Repeat across multiple connections
Persist
Accumulate out-of-memory pressure
Impact
Zebra process crashes
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The vulnerability requires only that a Zebra node accepts peer-to-peer connections from the network and processes incoming addr or addrv2 messages, which is the default configuration for any Zebra node participating in the Zcash network. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment This is a genuine denial of service vulnerability with moderate real-world risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a Zcash protocol message (addr or addrv2) containing the maximum allowed serialized size (up to 2 MiB) with address entries, resulting in over 200,000 addresses in a single message. The attacker opens multiple TCP connections to a Zebra node and sends such oversized messages, causing the node to allocate excessive memory for deserialization (e.g., 233,016 addresses × ~9 bytes per address entry in addrv2). …
Remediation Upgrade Zebra immediately to version 4.3.1 or later. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-40881 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy