Skip to main content

Zebra (Zcash node) EUVDEUVD-2026-28655

| CVE-2026-41585 MEDIUM
Uncaught Exception (CWE-248)
2026-05-08 security-advisories@github.com
6.9
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch available
May 08, 2026 - 16:18 EUVD
Source Code Evidence Fetched
May 08, 2026 - 16:17 vuln.today
Analysis Generated
May 08, 2026 - 16:17 vuln.today
CVE Published
May 08, 2026 - 15:16 nvd
MEDIUM 6.9

DescriptionGitHub Advisory

ZEBRA is a Zcash node written entirely in Rust. From zebrad versions 2.2.0 to before 4.3.1 and from zebra-rpc versions 1.0.0-beta.45 to before 6.0.2, a vulnerability in Zebra's JSON-RPC HTTP middleware allows an authenticated RPC client to cause a Zebra node to crash by disconnecting before the request body is fully received. The node treats the failure to read the HTTP request body as an unrecoverable error and aborts the process instead of returning an error response. This issue has been patched in zebrad version 4.3.1 and zebra-rpc version 6.0.2.

AnalysisAI

Denial of service in Zebra's JSON-RPC HTTP middleware allows authenticated RPC clients to crash a Zebra node by disconnecting mid-request, exploiting improper error handling that treats incomplete HTTP body reads as unrecoverable failures instead of returning error responses. Affects zebrad versions 2.2.0 through 4.3.0 and zebra-rpc versions 1.0.0-beta.45 through 6.0.1. No public exploit code or active exploitation confirmed; patch available in zebrad 4.3.1 and zebra-rpc 6.0.2.

Technical ContextAI

Zebra is a Zcash blockchain node implementation written in Rust. The vulnerability resides in the JSON-RPC HTTP middleware layer that handles incoming RPC requests over HTTP. The root cause is CWE-248 (Uncaught Exception), where the middleware fails to properly handle exceptions or error conditions when reading the incoming HTTP request body. When a client disconnects or resets the TCP connection before transmitting the complete request body, the middleware's HTTP request parsing logic encounters a read failure. Rather than gracefully handling this I/O error and returning an HTTP error response (e.g., 400 Bad Request), the middleware treats it as an unrecoverable fatal error and calls process abort(), immediately terminating the entire Zebra node. This affects both the standalone zebrad binary (versions 2.2.0-4.3.0) and the zebra-rpc crate library (versions 1.0.0-beta.45-6.0.1) which provide the HTTP middleware implementation.

RemediationAI

Upgrade zebrad to version 4.3.1 or later, and zebra-rpc to version 6.0.2 or later. The patched versions propagate HTTP request body read failures as ordinary error responses (HTTP 400 or similar) rather than aborting the process. If immediate upgrade is not feasible, implement strict network isolation by binding the RPC interface to localhost only and ensuring cookie authentication remains enabled (the default configuration). If RPC must be exposed to untrusted networks, restrict access via firewall rules or reverse proxy authentication in front of the Zebra node. Be aware that these mitigations reduce availability and administrative flexibility but do not fully eliminate the DoS risk if authentication credentials are compromised.

Share

EUVD-2026-28655 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy