CVE-2026-44499
Received Received - Intake
Zebra Node Denial-of-Service in Block Discovery Pipeline

Publication date: 2026-05-08

Last updated on: 2026-05-08

Assigner: GitHub, Inc.

Description
ZEBRA is a Zcash node written entirely in Rust. Prior to version 4.4.0, a composite denial-of-service vulnerability in Zebra's block discovery pipeline allows an unauthenticated remote attacker to permanently halt all new block discovery on a targeted node. The attack exploits three independent weaknesses in the gossip, syncer, and download subsystems β€” all exercisable from a single TCP connection β€” to create a monotonically growing block deficit that never self-heals. This issue has been patched in version 4.4.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-08
Generated
2026-05-09
AI Q&A
2026-05-08
EPSS Evaluated
N/A
NVD
CVE-2026-44499
EUVD
EUVD-2026-28801
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
zebra zebra to 4.4.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.


Can you explain this vulnerability to me?

This vulnerability affects Zebra, a Zcash node implementation written in Rust. Before version 4.4.0, there is a composite denial-of-service (DoS) vulnerability in Zebra's block discovery pipeline. An unauthenticated remote attacker can exploit three independent weaknesses in the gossip, syncer, and download subsystems through a single TCP connection. This attack causes a continuously growing block deficit that never recovers, effectively halting all new block discovery on the targeted node permanently.


How can this vulnerability impact me? :

The impact of this vulnerability is a permanent denial-of-service condition on the affected Zebra node. An attacker can remotely and without authentication stop the node from discovering any new blocks, which means the node will no longer be able to stay synchronized with the blockchain network. This can disrupt services relying on the node for blockchain data and potentially affect the integrity and availability of blockchain operations dependent on that node.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, you should upgrade Zebra to version 4.4.0 or later, where the issue has been patched.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart