Zebra Node Vulnerability in Zcash written in Rust
CVE-2026-41585

6.9MEDIUM

Key Information:

Status
Vendor
CVE Published:
8 May 2026

What is CVE-2026-41585?

A vulnerability exists in the JSON-RPC HTTP middleware of Zebra, a Zcash node written in Rust. This issue affects zebrad versions up to 4.3.1 and zebra-rpc versions prior to 6.0.2. An authenticated RPC client can exploit this vulnerability by disconnecting before the request body is fully transmitted, which results in the Zebra node crashing due to an unrecoverable error triggered by an incomplete HTTP request. Instead of providing an error response, the node aborts the process entirely, leading to potential service disruption. The vulnerability has been addressed in the latest versions of zebrad and zebra-rpc.

Affected Version(s)

zebra zebra-rpc >= 1.0.0-beta.45, < 6.0.2 < zebra-rpc 1.0.0-beta.45, 6.0.2

zebra zebrad >= 2.2.0, < 4.3.1 < zebrad 2.2.0, 4.3.1

References

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.