Summary
A composite denial-of-service vulnerability in Zebra's block discovery pipeline allows an unauthenticated remote attacker to permanently halt all new block discovery on a targeted node. The attack exploits three independent weaknesses in the gossip, syncer, and download subsystems, all exercisable from a single TCP connection, to create a monotonically growing block deficit that never self-heals.
Severity
Critical, This is a Denial of Service vulnerability that requires no authentication, no special privileges, and only a single peer connection. The halt is permanent: the node will never recover without operator intervention.
Affected Versions
All Zebra versions prior to 4.4.0.
Description
Zebra discovers new blocks through two complementary paths: a gossip path (peers announce blocks via inv messages, triggering individual block downloads) and a syncer path (Zebra periodically queries peers with FindBlocks/FindHeaders to discover chains of missing blocks). Both paths must function for normal operation.
The gossip path was vulnerable because there was no per-connection rate limit on inv messages. A single connection could send enough sequential inv messages with fake block hashes to fill the entire gossip download queue in under a millisecond. The FullQueue return value was silently ignored, so legitimate block announcements from honest peers were dropped with no warning.
The syncer backup path could be degraded by responding with empty inv to FindBlocks requests and with NotFound to block download requests. Both are valid protocol responses that carried zero misbehavior penalty. The attacker's connection was never banned and never disconnected, allowing the degradation to persist indefinitely.
Combining these two vectors, an attacker could suppress both block discovery paths simultaneously from a single connection, causing the node to fall permanently behind the chain tip.
Fixed Versions
This issue is fixed in Zebra 4.4.0.
The fix drops connections that send empty responses to FindBlocks and FindHeaders messages, preventing attackers from degrading the syncer path without consequence.
Mitigation
Users should upgrade to Zebra 4.4.0 or later immediately.
There are no known workarounds for this issue. Immediate upgrade is the only way to protect against this attack.
Credits
Zebra the researcher who reported this issue through the coordinated disclosure process.
Impact
Denial of Service
- Attack Vector: Network, unauthenticated. Requires only a single TCP peer connection.
- Effect: Permanent halt of block discovery. The targeted node falls behind the chain tip and never recovers without operator intervention.
- Scope: Any Zebra node reachable by the attacker over the peer-to-peer network.
The application allocates resources such as memory, threads, or file descriptors based on untrusted input without enforcing a cap. Typical impact: resource exhaustion leading to denial of service.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is CVE-2026-44499? CVE-2026-44499 is a high-severity allocation of resources without limits or throttling vulnerability in zebrad (rust), affecting versions < 4.4.0. It is fixed in 4.4.0. The application allocates resources such as memory, threads, or file descriptors based on untrusted input without enforcing a cap.
- Which versions of zebrad are affected by CVE-2026-44499? zebrad (rust) versions < 4.4.0 is affected.
- Is there a fix for CVE-2026-44499? Yes. CVE-2026-44499 is fixed in 4.4.0. Upgrade to this version or later.
- Is CVE-2026-44499 exploitable, and should I be worried? Whether CVE-2026-44499 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-44499 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2026-44499? Upgrade
zebradto 4.4.0 or later.