CVE-2026-44500
Analyzed Analyzed - Analysis Complete
Allocation Bypass in ZEBRA Node

Publication date: 2026-05-08

Last updated on: 2026-05-08

Assigner: GitHub, Inc.

Description
ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.4.0, prior to zebra-chain version 7.0.0, and prior to zebra-network version 6.0.0, several inbound deserialization paths in Zebra allocated buffers sized against generic transport or block-size ceilings before the tighter protocol or consensus limits were enforced. An unauthenticated or post-handshake peer could therefore force the node to preallocate and parse for orders of magnitude more data than the protocol intended, across headers messages, equihash solutions in block headers, Sapling spend vectors in V5/V4 transactions, and coinbase script bytes in blocks. This issue has been patched in zebrad version 4.4.0, zebra-chain version 7.0.0, and zebra-network version 6.0.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-08
Generated
2026-05-09
AI Q&A
2026-05-08
EPSS Evaluated
N/A
NVD
CVE-2026-44500
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
zfnd zebra-chain to 7.0.0 (exc)
zfnd zebra-network to 6.0.0 (exc)
zfnd zebrad to 4.4.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the ZEBRA Zcash node software, specifically in versions prior to zebrad 4.4.0, zebra-chain 7.0.0, and zebra-network 6.0.0. Several inbound deserialization paths allocate buffers based on generic transport or block-size ceilings before enforcing tighter protocol or consensus limits.

As a result, an unauthenticated or post-handshake peer can force the node to preallocate and parse significantly more data than intended by the protocol. This affects headers messages, equihash solutions in block headers, Sapling spend vectors in V5/V4 transactions, and coinbase script bytes in blocks.

This issue has been fixed in the specified newer versions of the software.


How can this vulnerability impact me? :

The vulnerability can lead to resource exhaustion on the affected node by forcing it to allocate and process much larger amounts of data than intended. This can degrade performance or potentially cause denial of service conditions.

Since the attack can be performed by an unauthenticated or post-handshake peer, it increases the risk of exploitation from external sources without requiring privileged access.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, upgrade your Zebra components to the patched versions: zebrad to version 4.4.0 or later, zebra-chain to version 7.0.0 or later, and zebra-network to version 6.0.0 or later.

These updates fix the issue where inbound deserialization paths allocated excessively large buffers, preventing potential denial of service caused by allocation amplification.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The provided information does not specify any impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart