Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2026-44500— ZEBRA: Allocation Amplification in Inbound Network Deserializers

CVSS 5.3 · Medium EPSS 0.05% · P14
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-44500

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
ZEBRA: Allocation Amplification in Inbound Network Deserializers
Source: NVD (National Vulnerability Database)
Vulnerability Description
ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.4.0, prior to zebra-chain version 7.0.0, and prior to zebra-network version 6.0.0, several inbound deserialization paths in Zebra allocated buffers sized against generic transport or block-size ceilings before the tighter protocol or consensus limits were enforced. An unauthenticated or post-handshake peer could therefore force the node to preallocate and parse for orders of magnitude more data than the protocol intended, across headers messages, equihash solutions in block headers, Sapling spend vectors in V5/V4 transactions, and coinbase script bytes in blocks. This issue has been patched in zebrad version 4.4.0, zebra-chain version 7.0.0, and zebra-network version 6.0.0.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Source: NVD (National Vulnerability Database)
Vulnerability Type
不加限制或调节的资源分配
Source: NVD (National Vulnerability Database)
Vulnerability Title
zebra 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
zebra是Zcash Foundation开源的一个用Rust编写的Zcash全节点实现。 zebra 4.4.0之前版本存在安全漏洞,该漏洞源于多个入站反序列化路径分配缓冲区过大,可能导致攻击者强制节点预分配和解析大量数据。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
ZcashFoundationzebra zebrad < 4.4.0 -

II. Public POCs for CVE-2026-44500

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-44500

登录查看更多情报信息。

Same Patch Batch · ZcashFoundation · 2026-05-08 · 7 CVEs total

CVE-2026-41585ZEBRA: Denial of Service via Interrupted JSON-RPC Requests from Authenticated Clients
CVE-2026-41583ZEBRA: Consensus Divergence in Transparent Sighash Hash-Type Handling
CVE-2026-41584ZEBRA: rk Identity Point Panic in Transaction Verification
CVE-2026-44497ZEBRA: Consensus Divergence in Transparent Sighash Hash-Type Handling due to Stale Buffer
CVE-2026-44498ZEBRA: Block Validator Undercounts Coinbase and P2SH Sigops
CVE-2026-44499ZEBRA: Permanent Block Discovery Halt via Gossip Queue Saturation and Syncer Poisoning

IV. Related Vulnerabilities

Same product: zebra
Same vendor: ZcashFoundation
Same weakness: CWE-770

V. Comments for CVE-2026-44500

No comments yet

Leave a comment