CVE-2026-41585
Analyzed Analyzed - Analysis Complete
Zebra Node Crash via Premature RPC Disconnection

Publication date: 2026-05-08

Last updated on: 2026-05-08

Assigner: GitHub, Inc.

Description
ZEBRA is a Zcash node written entirely in Rust. From zebrad versions 2.2.0 to before 4.3.1 and from zebra-rpc versions 1.0.0-beta.45 to before 6.0.2, a vulnerability in Zebra's JSON-RPC HTTP middleware allows an authenticated RPC client to cause a Zebra node to crash by disconnecting before the request body is fully received. The node treats the failure to read the HTTP request body as an unrecoverable error and aborts the process instead of returning an error response. This issue has been patched in zebrad version 4.3.1 and zebra-rpc version 6.0.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-08
Generated
2026-06-19
AI Q&A
2026-05-08
EPSS Evaluated
2026-06-18
NVD
CVE-2026-41585
EUVD
EUVD-2026-28655
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
zfnd zebra-rpc From 2.0.0 (inc) to 6.0.2 (exc)
zfnd zebra-rpc 1.0.0
zfnd zebra-rpc 1.0.0
zfnd zebra-rpc 1.0.0
zfnd zebrad From 2.2.0 (inc) to 4.3.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-617 The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.
CWE-248 An exception is thrown from a function, but it is not caught.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-41585 is a Denial of Service (DoS) vulnerability in Zebra's JSON-RPC HTTP middleware. It allows an authenticated RPC client to crash a Zebra node by disconnecting before the request body is fully received.

The node treats the failure to read the HTTP request body as an unrecoverable error and aborts the process instead of returning an error response.

This issue affects zebrad versions 2.2.0 to before 4.3.1 and zebra-rpc versions 1.0.0-beta.45 to before 6.0.2 and has been fixed in zebrad 4.3.1 and zebra-rpc 6.0.2.

Impact Analysis

This vulnerability can cause a Zebra node to crash, resulting in a Denial of Service (DoS) condition.

An authenticated RPC client with valid credentials can exploit this by disconnecting prematurely during a request, causing the node to abort unexpectedly.

This impacts the availability of the Zebra node, potentially disrupting services that depend on it.

Detection Guidance

This vulnerability affects Zebra nodes running specific versions of zebrad and zebra-rpc when an authenticated RPC client disconnects before the request body is fully received, causing the node to crash. Detection involves monitoring for unexpected crashes or process aborts of the Zebra node.

Since the vulnerability requires an authenticated RPC client, checking for unusual or repeated RPC client disconnections or failures in the logs may help identify exploitation attempts.

There are no specific commands provided in the resources to detect this vulnerability directly.

Mitigation Strategies

To mitigate this vulnerability, users should upgrade to zebrad version 4.3.1 or later, or zebra-rpc version 6.0.2 or later, where the issue has been fixed.

If upgrading immediately is not possible, ensure that the RPC port is not exposed to untrusted networks and that cookie authentication remains enabled, as nodes using default settings with RPC bound to localhost and cookie authentication enabled are not vulnerable.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41585. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart