Skip to main content

zebrad CVE-2026-52731

MEDIUM
Uncaught Exception (CWE-248)
2026-07-02 https://github.com/ZcashFoundation/zebra GHSA-qv2r-v3mx-f4pf
6.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
6.5 MEDIUM

Network RPC requires low-privilege authentication (cookie) by default; no confidentiality or integrity impact; complete availability loss via process abort.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jul 02, 2026 - 19:52 vuln.today

DescriptionGitHub Advisory

Am I affected

You are affected if:

  1. You run zebrad up to and including v4.4.1.
  2. Your zebrad.toml sets rpc.listen_addr to a TCP address (RPC server is enabled).
  3. An attacker can authenticate to the RPC endpoint. With the default enable_cookie_auth = true, this requires the attacker to read the .cookie file. With enable_cookie_auth = false, any network client reaching the RPC port can trigger it.

Summary

The getblocktemplate RPC handler panics when parsing a LongPollId parameter that contains non-ASCII (multi-byte UTF-8) characters. The handler performs byte-index string slicing on the user-supplied string, which panics in Rust when a byte index falls within a multi-byte character boundary. Because Zebra's release profile sets panic = "abort", the panic terminates the entire node process.

Details

The getblocktemplate handler receives a user-supplied LongPollId string and slices it at fixed byte offsets to extract the encoded tip hash and tip height. When the string contains multi-byte UTF-8 characters, a byte-index slice can land in the middle of a character, causing Rust's str indexing to panic with "byte index is not a char boundary."

Under the panic = "abort" release profile, this panic terminates the entire zebrad process rather than just the RPC task.

Patches

zebra-rpc 8.0.0 and zebrad 4.5.0.

Replace byte-index string slicing with character-aware parsing or validate that the LongPollId string contains only ASCII characters before slicing.

Workarounds

  • Disable the RPC server by removing rpc.listen_addr from zebrad.toml.
  • Ensure enable_cookie_auth = true (the default) and restrict filesystem access to the .cookie file.
  • Place a reverse proxy in front of the RPC port that validates LongPollId parameters are ASCII-only before forwarding.

Impact

A single authenticated RPC request terminates the zebrad process. Same impact profile as GHSA-c8w6-x74f-vmg3: repeatable on restart, affects mining pools and infrastructure that forward getblocktemplate calls.

Credit

Reported by @sangsoo-osec via a private GitHub Security Advisory submission.

AnalysisAI

Process termination via crafted RPC input in zebrad (Zcash Foundation's Zcash node) up to v4.4.1 allows an authenticated network attacker to kill the entire node daemon by submitting a getblocktemplate RPC call with a LongPollId parameter containing multi-byte UTF-8 characters. The root cause is unsafe byte-index string slicing in Rust, which panics when a byte offset lands mid-character; because the release profile sets panic = "abort", this immediately terminates the zebrad process rather than unwinding only the RPC task. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain RPC credentials or confirm cookie auth disabled
Delivery
Connect to zebrad TCP RPC endpoint
Exploit
Craft getblocktemplate request with multi-byte UTF-8 in LongPollId
Execution
Submit request; Rust slice panics at char boundary
Persist
panic=abort terminates zebrad process
Impact
Repeat on restart for persistent DoS

Vulnerability AssessmentAI

Exploitation Three conditions must all be satisfied. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) accurately characterizes this as a medium-severity, network-reachable denial-of-service. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with access to the zebrad `.cookie` file - obtained via a co-located compromised process, misconfigured filesystem permissions, or a configuration with `enable_cookie_auth = false` - sends a single `getblocktemplate` JSON-RPC request to the listening TCP address, embedding a `LongPollId` string that contains a multi-byte UTF-8 character such as a Unicode code point above U+007F. The zebra-rpc handler slices the string at a fixed byte offset that lands inside the multi-byte character, triggering a Rust panic; because the release binary sets `panic = "abort"`, the entire zebrad process terminates immediately. …
Remediation Upgrade to zebrad 4.5.0 and zebra-rpc 8.0.0, which replace unsafe byte-index string slicing with character-aware parsing or ASCII validation before slicing, as described in the GitHub Security Advisory at https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-qv2r-v3mx-f4pf. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-52731 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy