Denial-of-Service Vulnerability in Zebra Zcash Node by Zcash Foundation
CVE-2026-44499

8.7HIGH

Key Information:

Status
Vendor
CVE Published:
8 May 2026

What is CVE-2026-44499?

Zebra, a Zcash node implementation developed in Rust, has a composite denial-of-service vulnerability that can be exploited by unauthenticated remote attackers. This issue arises from three independent weaknesses within the block discovery pipeline, specifically affecting the gossip, syncer, and download subsystems. When exploited via a single TCP connection, this vulnerability enables an attacker to create an ever-growing deficit in block discovery that cannot self-correct, effectively freezing the node's ability to discover new blocks. Users are strongly advised to upgrade to version 4.4.0 to mitigate this risk.

Affected Version(s)

zebra < 4.4.0

References

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.