Zebra Node Deserialization Vulnerability in Zcash Software by Zcash Foundation
CVE-2026-44500

5.3MEDIUM

Key Information:

Status
Vendor
CVE Published:
8 May 2026

What is CVE-2026-44500?

Zebra, a Zcash node implementation in Rust, has a vulnerability that allows an unauthenticated peer to exploit multiple inbound deserialization paths. This issue enables the manipulation of node behavior, resulting in the preallocation and processing of excessive data, which surpasses the limits defined by the protocol. This vulnerability affects versions of zebrad prior to 4.4.0 and the associated zebra-chain and zebra-network packages prior to versions 7.0.0 and 6.0.0, respectively, making systems vulnerable to potential data overflow attacks. Proper patching in later versions has addressed this critical issue.

Affected Version(s)

zebra zebrad < 4.4.0 < zebrad 4.4.0

zebra zebra-chain < 7.0.0 < zebra-chain 7.0.0

zebra zebra-network < 6.0.0 < zebra-network 6.0.0

References

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.