CVE-2026-44499: Permanent Block Discovery Halt in Zebra via Gossip Queue Saturation
Vulnerability ID: CVE-2026-44499
CVSS Score: 8.7
Published: 2026-05-08
CVE-2026-44499 is a composite Denial of Service (DoS) vulnerability affecting Zebra, the Rust implementation of a Zcash full node. By exploiting architectural flaws in the peer-to-peer (P2P) communication stack, an unauthenticated attacker can saturate internal message queues and poison the chain discovery process, permanently isolating the target node from the network.
TL;DR
Unauthenticated attackers can permanently halt block discovery in Zebra nodes prior to v4.4.0 by saturating the P2P gossip queue and providing unpenalized empty responses to synchronization requests.
Technical Details
- CVSS Score: 8.7
- CWE ID: CWE-770
- Attack Vector: Network
- Exploit Status: None
- KEV Status: Not Listed
- Authentication: None Required
Affected Systems
- Zebra < 4.4.0
-
Zebra: < 4.4.0 (Fixed in:
4.4.0)
Code Analysis
Commit: 602c8b7
Implementation of Stall Tracking and peer penalization logic
Commit: 85303ea
Allocation hardening and size bounds enforcement
Mitigation Strategies
- Upgrade to Zebra version 4.4.0 or later.
- Implement network-level rate limiting for inbound P2P connections.
- Monitor node synchronization metrics for abrupt halts in block height progression.
Remediation Steps:
- Stop the affected Zebra service gracefully.
- Update the Zebra binary to version 4.4.0 via your package manager or by compiling from the official repository.
- Restart the Zebra service and monitor the logs to verify successful synchronization with the network.
References
Read the full report for CVE-2026-44499 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)