CVE-2026-44499
Received Received - Intake
Zebra Node Denial-of-Service in Block Discovery Pipeline

Publication date: 2026-05-08

Last updated on: 2026-05-08

Assigner: GitHub, Inc.

Description
ZEBRA is a Zcash node written entirely in Rust. Prior to version 4.4.0, a composite denial-of-service vulnerability in Zebra's block discovery pipeline allows an unauthenticated remote attacker to permanently halt all new block discovery on a targeted node. The attack exploits three independent weaknesses in the gossip, syncer, and download subsystems β€” all exercisable from a single TCP connection β€” to create a monotonically growing block deficit that never self-heals. This issue has been patched in version 4.4.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-08
Generated
2026-06-19
AI Q&A
2026-05-08
EPSS Evaluated
2026-06-18
NVD
CVE-2026-44499
EUVD
EUVD-2026-28801
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
zebra zebra to 4.4.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

This vulnerability affects Zebra, a Zcash node implementation written in Rust. Before version 4.4.0, there is a composite denial-of-service (DoS) vulnerability in Zebra's block discovery pipeline. An unauthenticated remote attacker can exploit three independent weaknesses in the gossip, syncer, and download subsystems through a single TCP connection. This attack causes a continuously growing block deficit that never recovers, effectively halting all new block discovery on the targeted node permanently.

Impact Analysis

The impact of this vulnerability is a permanent denial-of-service condition on the affected Zebra node. An attacker can remotely and without authentication stop the node from discovering any new blocks, which means the node will no longer be able to stay synchronized with the blockchain network. This can disrupt services relying on the node for blockchain data and potentially affect the integrity and availability of blockchain operations dependent on that node.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Zebra to version 4.4.0 or later, where the issue has been patched.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44499. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart