Denial-of-Service Vulnerability in Zebra Zcash Node by Zcash Foundation
CVE-2026-44499
8.7HIGH
What is CVE-2026-44499?
Zebra, a Zcash node implementation developed in Rust, has a composite denial-of-service vulnerability that can be exploited by unauthenticated remote attackers. This issue arises from three independent weaknesses within the block discovery pipeline, specifically affecting the gossip, syncer, and download subsystems. When exploited via a single TCP connection, this vulnerability enables an attacker to create an ever-growing deficit in block discovery that cannot self-correct, effectively freezing the node's ability to discover new blocks. Users are strongly advised to upgrade to version 4.4.0 to mitigate this risk.
Affected Version(s)
zebra < 4.4.0
