CVE-2026-44500
Analyzed Analyzed - Analysis Complete
Allocation Bypass in ZEBRA Node

Publication date: 2026-05-08

Last updated on: 2026-05-08

Assigner: GitHub, Inc.

Description
ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.4.0, prior to zebra-chain version 7.0.0, and prior to zebra-network version 6.0.0, several inbound deserialization paths in Zebra allocated buffers sized against generic transport or block-size ceilings before the tighter protocol or consensus limits were enforced. An unauthenticated or post-handshake peer could therefore force the node to preallocate and parse for orders of magnitude more data than the protocol intended, across headers messages, equihash solutions in block headers, Sapling spend vectors in V5/V4 transactions, and coinbase script bytes in blocks. This issue has been patched in zebrad version 4.4.0, zebra-chain version 7.0.0, and zebra-network version 6.0.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-08
Generated
2026-06-19
AI Q&A
2026-05-08
EPSS Evaluated
2026-06-18
NVD
CVE-2026-44500
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
zfnd zebra-chain to 7.0.0 (exc)
zfnd zebra-network to 6.0.0 (exc)
zfnd zebrad to 4.4.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify any impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

This vulnerability exists in the ZEBRA Zcash node software, specifically in versions prior to zebrad 4.4.0, zebra-chain 7.0.0, and zebra-network 6.0.0. Several inbound deserialization paths allocate buffers based on generic transport or block-size ceilings before enforcing tighter protocol or consensus limits.

As a result, an unauthenticated or post-handshake peer can force the node to preallocate and parse significantly more data than intended by the protocol. This affects headers messages, equihash solutions in block headers, Sapling spend vectors in V5/V4 transactions, and coinbase script bytes in blocks.

This issue has been fixed in the specified newer versions of the software.

Impact Analysis

The vulnerability can lead to resource exhaustion on the affected node by forcing it to allocate and process much larger amounts of data than intended. This can degrade performance or potentially cause denial of service conditions.

Since the attack can be performed by an unauthenticated or post-handshake peer, it increases the risk of exploitation from external sources without requiring privileged access.

Mitigation Strategies

To mitigate this vulnerability, upgrade your Zebra components to the patched versions: zebrad to version 4.4.0 or later, zebra-chain to version 7.0.0 or later, and zebra-network to version 6.0.0 or later.

These updates fix the issue where inbound deserialization paths allocated excessively large buffers, preventing potential denial of service caused by allocation amplification.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44500. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart