Skip to main content

Zebra (zebrad) CVE-2026-52829

HIGH
Reachable Assertion (CWE-617)
2026-07-02 https://github.com/ZcashFoundation/zebra GHSA-63wg-wjjj-7cp8
7.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
7.5 HIGH

Remote unauthenticated peer with no user interaction triggers a deterministic crash under default config, so AV:N/AC:L/PR:N/UI:N; impact is availability-only (A:H), no C/I effect, no scope change.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jul 02, 2026 - 20:50 vuln.today
CVE Published
Jul 02, 2026 - 20:26 github-advisory
HIGH 7.5

DescriptionGitHub Advisory

Am I affected

You are affected if:

  1. You run zebrad up to and including v4.4.1.
  2. Your node listens on the default [::] address on a Linux host (the standard deployment configuration - net.ipv6.bindv6only=0 is the default on all common Linux distributions).
  3. Your node is synced near the chain tip (the expected production state for any node participating in the network).

Summary

An address normalization mismatch between the handshake path and the mempool misbehavior path causes a deterministic assertion panic when a peer connects via IPv4 to a dual-stack IPv6 listener and then triggers a mempool misbehavior penalty.

The handshake path canonicalizes IPv4-mapped IPv6 addresses to plain IPv4 when storing the peer in the address book via MetaAddr::new_connected. The mempool misbehavior path forwards the raw transient socket address (IPv4-mapped IPv6 form) when sending MetaAddrChange::UpdateMisbehavior to the address book. The address book looks up the canonical IPv4 entry but then asserts that the previous entry's address matches the change's address. The mismatch between the canonical IPv4 address and the raw IPv4-mapped IPv6 address triggers the assertion, and panic = "abort" terminates the process.

Details

On Linux with net.ipv6.bindv6only=0, an IPv4 connection accepted by a [::] listener is represented internally as an IPv4-mapped IPv6 socket address (e.g., ::ffff:127.0.0.1:8233). Zebra's canonical_peer_addr helper converts these to plain IPv4 (e.g., 127.0.0.1:8233).

The handshake path uses MetaAddr::new_connected, which canonicalizes the address before storing in the address book. However, inbound inventory registration uses connected_addr.get_transient_addr(), preserving the raw IPv4-mapped form. When the mempool later downloads an invalid transaction from this peer and generates a misbehavior penalty, the raw transient address is forwarded through the misbehavior channel to MetaAddrChange::UpdateMisbehavior, which does not canonicalize.

After the 30-second misbehavior batch flush, AddressBook::update retrieves the canonical IPv4 entry but MetaAddrChange::apply_to_meta_addr asserts that previous.addr == self.addr(), which fails because one is IPv4 and the other is IPv4-mapped IPv6.

The attacker needs only to complete a P2P handshake over IPv4 to a dual-stack listener and advertise an invalid mempool transaction (such as a coinbase transaction). The assertion fires after the 30-second misbehavior batch flush.

Patches

Patched in Zebra 4.5.0. The fix canonicalizes the address in the misbehavior update path via a new MetaAddr::new_misbehavior constructor that applies canonical_peer_addr before creating the UpdateMisbehavior change.

Workarounds

Configuring listen_addr to an IPv4-only address (e.g., 0.0.0.0:8233) avoids the IPv4-mapped IPv6 representation and prevents this specific assertion. Alternatively, setting net.ipv6.bindv6only=1 on Linux prevents dual-stack acceptance.

Impact

A remote unauthenticated peer can deterministically crash any synced Zebra node running the default Linux dual-stack configuration with a single invalid mempool transaction advertisement, followed by a 30-second wait. The attack requires no mining capability, no RPC access, no funds, and no special privileges. The crash can be repeated after each restart, causing persistent downtime. Linux dual-stack sockets and mempool activation are the default production state, not special preconditions.

Credit

Reported by @Haxatron.

AnalysisAI

Remote denial of service in the Zebra Zcash full-node (zebrad) up to and including v4.4.1 lets an unauthenticated peer deterministically crash any synced node running the standard Linux dual-stack configuration. By completing a P2P handshake over IPv4 to a [::] listener and then advertising a single invalid mempool transaction (e.g. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Connect over IPv4 to [::] listener
Delivery
Complete P2P handshake
Exploit
Advertise invalid coinbase mempool tx
Execution
Misbehavior penalty queued with raw mapped address
Persist
30s batch flush hits address-book assertion
Impact
Process aborts (node down)

Vulnerability AssessmentAI

Exploitation Exploitation requires the target zebrad node (≤ v4.4.1) to run on Linux, listen on the default dual-stack `[::]` `listen_addr` with `net.ipv6.bindv6only=0`, and be synced near the chain tip so the mempool is active - all of which are the standard/default production deployment per the advisory. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals are internally consistent and point to a genuine availability risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker locates a public Zebra node listening on the default `[::]` address, connects to it over IPv4 to complete a standard P2P handshake, and advertises an invalid mempool transaction such as a coinbase transaction. Roughly 30 seconds later the misbehavior batch flush fires the address-book assertion and the node aborts; the attacker simply reconnects and repeats after each restart to sustain outage. …
Remediation Vendor-released patch: upgrade zebrad to 4.5.0 or later, which adds a `MetaAddr::new_misbehavior` constructor that applies `canonical_peer_addr` in the misbehavior update path so the stored and change addresses match. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Conduct comprehensive inventory of all zebrad deployments and identify versions ≤4.4.1; assess criticality to blockchain operations. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2012-0217 HIGH POC
7.2 Jun 12

The x86-64 kernel system-call functionality in Xen 4.1.2 and earlier, as used in Citrix XenServer 6.0.2 and earlier and

CVE-2026-33309 CRITICAL POC
9.9 Mar 19

An authenticated path traversal vulnerability in Langflow's file upload functionality allows attackers to write arbitrar

CVE-2019-7304 CRITICAL POC
9.8 Apr 23

Canonical snapd before version 2.37.1 incorrectly performed socket owner validation, allowing an attacker to run arbitra

CVE-2026-33186 CRITICAL POC
9.1 Mar 18

An authorization bypass vulnerability in gRPC-Go allows attackers to circumvent path-based access control by sending HTT

CVE-2026-50180 HIGH POC
8.7 Jul 02

Arbitrary file read in Langroid's SQLChatAgent (<= 0.63.0) lets an attacker who can influence the LLM-generated SQL exfi

CVE-2020-14966 HIGH POC
7.5 Jun 22

An issue was discovered in the jsrsasign package through 8.0.18 for Node.js. Rated high severity (CVSS 7.5), this vulner

CVE-2020-13822 HIGH POC
7.7 Jun 04

The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' byte

CVE-2026-29181 HIGH POC
7.5 Apr 07

Resource exhaustion in OpenTelemetry Go propagation library (v1.41.0 and earlier) enables remote attackers to trigger se

CVE-2019-7303 HIGH POC
7.5 Apr 23

A vulnerability in the seccomp filters of Canonical snapd before version 2.37.4 allows a strict mode snap to insert char

CVE-2014-4699 MEDIUM POC
6.9 Jul 09

The Linux kernel before 3.15.4 on Intel processors does not properly restrict use of a non-canonical value for the saved

CVE-2017-7725 MEDIUM POC
6.1 Apr 13

concrete5 8.1.0 places incorrect trust in the HTTP Host header during caching, if the administrator did not define a "ca

CVE-2026-48816 MEDIUM POC
6.5 Jul 01

Timestamp forgery in sigstore-js allows an attacker supplying a crafted bundle v0.2 to manipulate certificate validity w

Share

CVE-2026-52829 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy