Zebra Node Vulnerability in Zcash written in Rust
CVE-2026-41585
6.9MEDIUM
What is CVE-2026-41585?
A vulnerability exists in the JSON-RPC HTTP middleware of Zebra, a Zcash node written in Rust. This issue affects zebrad versions up to 4.3.1 and zebra-rpc versions prior to 6.0.2. An authenticated RPC client can exploit this vulnerability by disconnecting before the request body is fully transmitted, which results in the Zebra node crashing due to an unrecoverable error triggered by an incomplete HTTP request. Instead of providing an error response, the node aborts the process entirely, leading to potential service disruption. The vulnerability has been addressed in the latest versions of zebrad and zebra-rpc.
Affected Version(s)
zebra zebra-rpc >= 1.0.0-beta.45, < 6.0.2 < zebra-rpc 1.0.0-beta.45, 6.0.2
zebra zebrad >= 2.2.0, < 4.3.1 < zebrad 2.2.0, 4.3.1
