zebrad CVE-2026-52731
MEDIUMSeverity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Network RPC requires low-privilege authentication (cookie) by default; no confidentiality or integrity impact; complete availability loss via process abort.
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
1DescriptionGitHub Advisory
Am I affected
You are affected if:
- You run
zebradup to and includingv4.4.1. - Your
zebrad.tomlsetsrpc.listen_addrto a TCP address (RPC server is enabled). - An attacker can authenticate to the RPC endpoint. With the default
enable_cookie_auth = true, this requires the attacker to read the.cookiefile. Withenable_cookie_auth = false, any network client reaching the RPC port can trigger it.
Summary
The getblocktemplate RPC handler panics when parsing a LongPollId parameter that contains non-ASCII (multi-byte UTF-8) characters. The handler performs byte-index string slicing on the user-supplied string, which panics in Rust when a byte index falls within a multi-byte character boundary. Because Zebra's release profile sets panic = "abort", the panic terminates the entire node process.
Details
The getblocktemplate handler receives a user-supplied LongPollId string and slices it at fixed byte offsets to extract the encoded tip hash and tip height. When the string contains multi-byte UTF-8 characters, a byte-index slice can land in the middle of a character, causing Rust's str indexing to panic with "byte index is not a char boundary."
Under the panic = "abort" release profile, this panic terminates the entire zebrad process rather than just the RPC task.
Patches
zebra-rpc 8.0.0 and zebrad 4.5.0.
Replace byte-index string slicing with character-aware parsing or validate that the LongPollId string contains only ASCII characters before slicing.
Workarounds
- Disable the RPC server by removing
rpc.listen_addrfromzebrad.toml. - Ensure
enable_cookie_auth = true(the default) and restrict filesystem access to the.cookiefile. - Place a reverse proxy in front of the RPC port that validates
LongPollIdparameters are ASCII-only before forwarding.
Impact
A single authenticated RPC request terminates the zebrad process. Same impact profile as GHSA-c8w6-x74f-vmg3: repeatable on restart, affects mining pools and infrastructure that forward getblocktemplate calls.
Credit
Reported by @sangsoo-osec via a private GitHub Security Advisory submission.
AnalysisAI
Process termination via crafted RPC input in zebrad (Zcash Foundation's Zcash node) up to v4.4.1 allows an authenticated network attacker to kill the entire node daemon by submitting a getblocktemplate RPC call with a LongPollId parameter containing multi-byte UTF-8 characters. The root cause is unsafe byte-index string slicing in Rust, which panics when a byte offset lands mid-character; because the release profile sets panic = "abort", this immediately terminates the zebrad process rather than unwinding only the RPC task. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Three conditions must all be satisfied. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 score of 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) accurately characterizes this as a medium-severity, network-reachable denial-of-service. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with access to the zebrad `.cookie` file - obtained via a co-located compromised process, misconfigured filesystem permissions, or a configuration with `enable_cookie_auth = false` - sends a single `getblocktemplate` JSON-RPC request to the listening TCP address, embedding a `LongPollId` string that contains a multi-byte UTF-8 character such as a Unicode code point above U+007F. The zebra-rpc handler slices the string at a fixed byte offset that lands inside the multi-byte character, triggering a Rust panic; because the release binary sets `panic = "abort"`, the entire zebrad process terminates immediately. … |
| Remediation | Upgrade to zebrad 4.5.0 and zebra-rpc 8.0.0, which replace unsafe byte-index string slicing with character-aware parsing or ASCII validation before slicing, as described in the GitHub Security Advisory at https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-qv2r-v3mx-f4pf. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-248 – Uncaught Exception
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-qv2r-v3mx-f4pf