Zebra Node Deserialization Vulnerability in Zcash Software by Zcash Foundation
CVE-2026-44500
What is CVE-2026-44500?
Zebra, a Zcash node implementation in Rust, has a vulnerability that allows an unauthenticated peer to exploit multiple inbound deserialization paths. This issue enables the manipulation of node behavior, resulting in the preallocation and processing of excessive data, which surpasses the limits defined by the protocol. This vulnerability affects versions of zebrad prior to 4.4.0 and the associated zebra-chain and zebra-network packages prior to versions 7.0.0 and 6.0.0, respectively, making systems vulnerable to potential data overflow attacks. Proper patching in later versions has addressed this critical issue.
Affected Version(s)
zebra zebrad < 4.4.0 < zebrad 4.4.0
zebra zebra-chain < 7.0.0 < zebra-chain 7.0.0
zebra zebra-network < 6.0.0 < zebra-network 6.0.0
