Out-of-Memory Vulnerability in Zcash Node by Zcash Foundation
CVE-2026-40881

6.3MEDIUM

Key Information:

Vendor: Zcashfoundation
Status: Zebrad; Zebra-network
Vendor: CVE Published:; 21 April 2026

🔔 Create Zcashfoundation Vulnerability Alert

What is CVE-2026-40881?

The ZEBRA node implemented by the Zcash Foundation contains a vulnerability that can be exploited when deserializing addr or addrv2 messages. When these messages, which contain vectors of addresses, exceed the expected limits, ZEBRA allocates memory based on an oversized length derived from the message size limit, rather than adhering to a stricter limit defined in the specification. This issue can lead to out-of-memory conditions, potentially causing the ZEBRA node to abort unexpectedly when an attacker sends multiple oversized messages across different connections. Users are advised to update to zebrad version 4.3.0 or zebra-network version 5.0.1 to mitigate this risk.

Affected Version(s)

zebra-network < 5.0.1

zebrad < 4.3.1

References

https://github.com/ZcashFoundation/zebra/security/advisor...

x_refsource_CONFIRM

CVSS V4

Score:

6.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 21, 2026
Vulnerability Reserved
Apr 15, 2026

CVE-2026-40881 Data

JSON