Skip to main content

Zebra EUVDEUVD-2026-28801

| CVE-2026-44499 HIGH
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-05-08 GitHub_M GHSA-h9hm-m2xj-4rq9
8.7
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch available
May 08, 2026 - 17:02 EUVD
Analysis Generated
May 08, 2026 - 16:30 vuln.today
CVSS changed
May 08, 2026 - 16:22 NVD
8.7 (HIGH)
CVE Published
May 08, 2026 - 15:11 nvd
HIGH 8.7

DescriptionGitHub Advisory

ZEBRA is a Zcash node written entirely in Rust. Prior to version 4.4.0, a composite denial-of-service vulnerability in Zebra's block discovery pipeline allows an unauthenticated remote attacker to permanently halt all new block discovery on a targeted node. The attack exploits three independent weaknesses in the gossip, syncer, and download subsystems - all exercisable from a single TCP connection - to create a monotonically growing block deficit that never self-heals. This issue has been patched in version 4.4.0.

AnalysisAI

Remote denial-of-service in Zebra (Zcash node implementation) versions prior to 4.4.0 allows unauthenticated attackers to permanently halt block synchronization via a single TCP connection. The attack exploits three independent weaknesses in gossip, syncer, and download subsystems to create an irreversible block discovery deficit. Vendor patch available in version 4.4.0. EPSS data unavailable; no CISA KEV listing or public exploit code identified at time of analysis, but the technical barrier appears low given network attack vector with no authentication or complexity requirements (CVSS 4.0: AV:N/AC:L/PR:N).

Technical ContextAI

Zebra is a Rust-based alternative full node implementation for the Zcash cryptocurrency network, performing block validation and network consensus functions. The vulnerability stems from CWE-770 (Allocation of Resources Without Limits or Throttling) affecting three distinct subsystems in the block discovery pipeline: the peer-to-peer gossip protocol handler, the blockchain state synchronization component, and the block download manager. The composite nature means an attacker can exploit resource allocation flaws across multiple code paths simultaneously from a single connection, creating compounding effects. Unlike traditional resource exhaustion attacks that flood capacity, this creates a logical state corruption where the node's internal block height tracking diverges from network consensus in a monotonically increasing manner (the 'block deficit' grows indefinitely). Because Zebra is written in Rust and handles cryptocurrency transaction validation, the affected component likely involves unsafe interaction between asynchronous download queues and synchronous state machine updates, allowing queue depth or state counters to grow unbounded when receiving malformed or strategically timed peer messages.

RemediationAI

Upgrade immediately to Zebra version 4.4.0 or later, which contains patches for all three subsystem vulnerabilities per vendor advisory GHSA-h9hm-m2xj-4rq9. For environments unable to upgrade immediately, implement network-layer compensating controls with awareness of operational trade-offs: (1) Deploy connection rate limiting at firewall/load balancer to restrict new peer connections to trusted IP ranges, though this degrades Zcash network participation and may impact blockchain sync performance from legitimate peers. (2) Monitor block height synchronization metrics and configure automated alerts for sync stalls exceeding 10 minutes, enabling rapid manual response to active exploitation. (3) If feasible, operate Zebra nodes behind a reverse proxy that enforces connection timeouts and maximum concurrent peer limits, though this adds latency to gossip protocol propagation. No effective workaround exists that maintains full node functionality while preventing exploitation - network isolation contradicts cryptocurrency node operational requirements. Operators should prioritize rapid patching over workarounds given availability of vendor fix and criticality of continuous blockchain synchronization.

Share

EUVD-2026-28801 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy