Zebra CVE-2026-44500
MEDIUMSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Lifecycle Timeline
3DescriptionGitHub Advisory
CVE-2026-44500: Allocation Amplification in Inbound Network Deserializers
Summary
Several inbound deserialization paths in Zebra allocated buffers sized against generic transport or block-size ceilings before the tighter protocol or consensus limits were enforced. An unauthenticated or post-handshake peer could therefore force the node to preallocate and parse for orders of magnitude more data than the protocol intended, across headers messages, equihash solutions in block headers, Sapling spend vectors in V5/V4 transactions, and coinbase script bytes in blocks.
Severity
Moderate - This is a Denial-of-Service Vulnerability that could allow a malicious peer to amplify per-message memory and parse cost on Zebra nodes, with effects amplified by multi-peer fan-in.
Each individual case is bounded by the 2 MiB transport ceiling or the block-size cap, so no single message causes unbounded allocation, but the cumulative gap between intended and actual limits is significant.
Affected Versions
All Zebra versions prior to 4.4.0.
Description
Zebra's network codec uses TrustedPreallocate and generic Vec deserialization to bound inbound message parsing. In several places the bound used at the deserializer was the generic transport or block-size ceiling rather than the tighter protocol or consensus rule that applies to the field, so allocation happened first and the real limit was only enforced afterwards. Four such cases were identified:
headersmessage receive cap.read_headers()deserialized theCountedHeadervector via the genericTrustedPreallocatepath, which allowed up to ~1,409 entries per message. The protocol ceilingMAX_FIND_BLOCK_HEADERS_RESULTS = 160was only used on the send side, giving an ~8.8x preallocation gap on receive. Reachable before the version handshake completes since the codec is installed on raw bytes.- Equihash solution length.
Solution::zcash_deserializedecoded the solution as a genericVec<u8>and only checked the exact consensus size (1344 bytes mainnet/testnet, 36 bytes regtest) afterwards inSolution::from_bytes. A single fixed-size header field could be inflated to nearly the full block-size ceiling before rejection. - Sapling spend vectors in coinbase transactions. V5
spend_prefixesand V4shielded_spendswere allocated generically with block-size-derived ceilings (~5,681 / ~5,208 entries) before the consensus rule that coinbase transactions have zero Sapling spends was enforced in the verifier. - Coinbase script bytes.
Input::zcash_deserialize()read the coinbase script as a genericVec<u8>up to the message-size cap before enforcing the consensus rule that coinbase scripts are between 2 and 100 bytes.
An attacker could exploit this by:
- Opening an inbound TCP connection (and, for the latter three cases, completing the version handshake).
- Sending one of: a
headersmessage with a CompactSize count up to ~1,409, ablockwhose header carries an inflated equihash CompactSize, atxdeclaring a coinbase input with a largenSpendsSapling, or ablockwith a coinbase input whose script length is near the message-size ceiling. - The deserializer allocates against the loose ceiling, parses, and only then rejects.
Impact
Denial of Service
- Attack Vector: Network.
- Effect: Amplified per-message allocation and parse cost on inbound peer messages, stackable across concurrent connections. The concrete effect will be influenced by how much memory Zebra has available.
- Scope: Any affected Zebra node.
Fixed Versions
This issue is fixed in Zebra 4.4.0.
Mitigation
Users should upgrade to Zebra 4.4.0 or later immediately.
There are no known workarounds for this issue. Immediate upgrade is the only way to remove the amplified allocation surface on inbound peer messages.
Credits
Zebra thanks @Zk-nd3r for finding and reporting the issues.
AnalysisAI
Allocation amplification in Zebra network deserializers allows unauthenticated remote peers to force excessive memory preallocation and parsing overhead across multiple message types (headers, blocks, transactions) by exploiting the use of generic transport/block-size ceilings instead of protocol-specific limits. An attacker can trigger 8.8x oversized header allocations, unbounded equihash solution parsing, and inflated Sapling spend vector allocations on inbound peer messages, causing denial of service through cumulative per-connection and multi-peer fan-in effects. CVSS 5.3 (AV:N/AC:L/PR:N/UI:N) indicates network-accessible, unauthenticated exploitation of default configurations; no public exploit identified at time of analysis, but vendor-released patch available in Zebra 4.4.0.
Technical ContextAI
Zebra's network codec implements inbound deserialization using TrustedPreallocate and generic Vec<T> unmarshaling to bound message parsing. The vulnerability stems from a cascading-limit anti-pattern: the deserializer allocates buffers against loose, generic ceilings (2 MiB transport message size or block-size caps) before tighter protocol or consensus rules are enforced. Four specific cases were identified. First, read_headers() uses TrustedPreallocate for CountedHeader vectors, which allows up to ~1,409 entries per message via the generic preallocation path; however, the actual protocol limit MAX_FIND_BLOCK_HEADERS_RESULTS = 160 is only enforced on the send side, creating an 8.8x gap. Second, Solution::zcash_deserialize() decodes equihash solutions as generic Vec<u8> and validates the exact consensus size (1344 bytes mainnet/testnet, 36 bytes regtest) only post-deserialization in Solution::from_bytes(), allowing inflate to block-size ceiling. Third, V5/V4 transaction spend_prefixes and shielded_spends are allocated with block-size-derived ceilings (~5,681 and ~5,208 entries respectively) before the consensus rule that coinbase transactions contain zero Sapling spends is enforced. Fourth, Input::zcash_deserialize() reads coinbase scripts as generic Vec<u8> up to message-size cap before enforcing the consensus rule that coinbase scripts are 2-100 bytes. All four cases violate the principle of validate-before-allocate, deferring tight bounds checking to after resource commitment. The affected CPE strings (pkg:rust/zebra-network, pkg:rust/zebrad, pkg:rust/zebra-chain) map to the Rust ecosystem components responsible for network I/O and deserialization. CWE-770 (Allocation of Resources Without Limits or Throttling) correctly categorizes this pattern.
RemediationAI
Node operators should upgrade to Zebra 4.4.0 or later immediately. Vendor-released patch: Zebra 4.4.0 (pkg:rust/zebrad 4.4.0, pkg:rust/zebra-network 6.0.0, pkg:rust/zebra-chain 7.0.0). The fix validates consensus and protocol limits before allocating buffers: coinbase Sapling spend counts are validated before allocation, coinbase script byte sizes (2-100 bytes) are enforced pre-deserialization, equihash solution sizes are checked before allocation, and the read_headers() path enforces the 160-entry protocol ceiling on inbound. No workarounds exist. For users unable to upgrade immediately, the only compensating control is to restrict inbound peer connections to a small, trusted set (e.g., via firewall or node configuration to allow only known peer addresses), though this breaks peer-to-peer functionality and is not recommended as a long-term solution. The upgrade is straightforward (binary replacement or Rust cargo update) and poses no consensus risk since the fix only tightens validation. See https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-438q-jx8f-cccv for advisory details and https://github.com/ZcashFoundation/zebra/pull/10525, #10526, #10527, #10528 for code changes.
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-438q-jx8f-cccv