Skip to main content

zebrad CVE-2026-52732

MEDIUM
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-07-02 https://github.com/ZcashFoundation/zebra GHSA-4fc2-h7jh-287c
5.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
vuln.today AI
5.3 MEDIUM

Network-reachable via default P2P, no authentication or complexity; availability impact is partial since only mempool admission is blocked while block sync continues.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jul 02, 2026 - 20:38 vuln.today

DescriptionGitHub Advisory

Am I affected

You are affected if:

  1. You run zebrad up to and including v4.4.1.
  2. Your node accepts inbound P2P connections (network.listen_addr is set, which is the default).
  3. Your node's mempool is active (node is synced near the chain tip).

All default configurations are affected.

Summary

A single unauthenticated P2P peer can monopolize all 25 inbound mempool download/verification slots (MAX_INBOUND_CONCURRENCY) by advertising fake transaction IDs. While the slots are occupied, all other inbound transactions from honest peers and local RPC sendrawtransaction calls are rejected with MempoolError::FullQueue. The attacker peer is never scored for misbehavior and is not disconnected, allowing sustained denial of mempool admission.

Details

The mempool download/verification pipeline at zebrad/src/components/mempool/downloads.rs uses a single bounded pool of 25 concurrent tasks. Three architectural gaps combine to produce the vulnerability:

  1. No per-peer accounting: the 25 slots are shared across all peers with no cap on how many a single peer can hold.
  2. No overload signaling: when FullQueue is returned, the inbound service at zebrad/src/components/inbound.rs maps it to Response::Nil, hiding the overload from the peer connection layer. The existing handle_inbound_overload disconnection logic never fires.
  3. No misbehavior attribution: peer identity is not carried through the Gossip type into the download pipeline, so verification failures cannot be attributed to the originating peer.

The attacker sends inv messages advertising fake transaction IDs. Zebra queues download tasks for each ID. The attacker stays silent; each slot is held until the TRANSACTION_DOWNLOAD_TIMEOUT (20 seconds) fires. The attacker periodically sends fresh inv waves to re-fill slots as they expire.

Two additional slot-holding techniques have been independently demonstrated: invalid-prevout transactions that park in AwaitOutput for 60 seconds, and expensive shielded proof verification with auth-variant cache bypass. All three techniques are addressed by the same per-peer accounting fix.

Patches

zebrad 4.5.0

The fix adds per-peer queue accounting to the mempool download pipeline. A single peer is limited to a fraction of MAX_INBOUND_CONCURRENCY (e.g., 5 slots out of 25). FullQueue is surfaced as an overload signal to the peer connection layer. Peer identity is plumbed through the Gossip type for misbehavior attribution.

Workarounds

There is no complete configuration-level workaround. Reducing network.peerset_initial_target_size limits the total inbound peer count but does not prevent a single peer from holding all mempool slots.

Impact

Mempool transaction admission is denied for all honest peers and local RPC clients while the attack is sustained. Block validation and chain synchronization continue normally. The attacker needs only one TCP connection and minimal bandwidth (~1 KB/s of fake inv messages). The node recovers immediately when the attacker stops. This does not affect consensus, funds, or on-disk state.

Credit

Reported by @dingledropper via a private GitHub Security Advisory submission.

AnalysisAI

Mempool admission in zebrad up to v4.4.1 can be completely blocked by a single unauthenticated P2P peer using minimal bandwidth (~1 KB/s), exploiting absent per-peer slot accounting in the transaction download/verification pipeline. By advertising fake transaction IDs via inv messages, an attacker holding one TCP connection can monopolize all 25 MAX_INBOUND_CONCURRENCY slots, causing every subsequent inbound transaction from honest peers - and local RPC sendrawtransaction calls - to fail with MempoolError::FullQueue indefinitely. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Establish inbound P2P TCP connection to synced zebrad node
Delivery
Flood inv messages with fake transaction IDs
Exploit
Occupy all 25 MAX_INBOUND_CONCURRENCY mempool download slots
Execution
FullQueue silently mapped to Response::Nil, suppressing disconnection logic
Persist
Honest peer transactions and RPC sendrawtransaction calls rejected
Impact
Periodically refresh slots to sustain denial indefinitely

Vulnerability AssessmentAI

Exploitation Three conditions must all be true, and all three are satisfied by default: (1) zebrad version must be 4.4.1 or earlier; (2) network.listen_addr must be configured to accept inbound P2P connections, which is the default setting; and (3) the node's mempool must be active, meaning the node has completed initial block download and is synced near the current chain tip. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L scores 5.3 (Medium), reflecting zero-complexity, unauthenticated, network-accessible exploitation with a limited availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker establishes a standard inbound P2P TCP connection to a synced zebrad node and floods it with inv messages advertising nonexistent transaction IDs, filling all 25 mempool download slots within seconds. The attacker then stays silent while slots are held until the 20-second TRANSACTION_DOWNLOAD_TIMEOUT fires, periodically refreshing the slot pool with new fake inv waves at roughly 1 KB/s to sustain the denial indefinitely - all honest peer transactions and local sendrawtransaction RPC calls are rejected with MempoolError::FullQueue for the duration, with zero misbehavior score accrued by the attacker.
Remediation The primary fix is to upgrade zebrad to version 4.5.0, which introduces per-peer queue accounting capping a single peer at approximately 5 of the 25 MAX_INBOUND_CONCURRENCY slots, surfaces FullQueue as a proper overload signal to the peer connection layer triggering handle_inbound_overload disconnection, and plumbs peer identity through the Gossip type to enable misbehavior attribution and scoring. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-52732 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy