CVE-2026-44500

CVE-2026-44500 is a medium-severity allocation of resources without limits or throttling vulnerability in zebra-network (rust), affecting versions <= 5.0.2. It is fixed in 6.0.0, 4.4.0, 7.0.0.

Summary

CVE-2026-44500: Allocation Amplification in Inbound Network Deserializers

Several inbound deserialization paths in Zebra allocated buffers sized against generic transport or block-size ceilings before the tighter protocol or consensus limits were enforced. An unauthenticated or post-handshake peer could therefore force the node to preallocate and parse for orders of magnitude more data than the protocol intended, across headers messages, equihash solutions in block headers, Sapling spend vectors in V5/V4 transactions, and coinbase script bytes in blocks.

Severity

Moderate - This is a Denial-of-Service Vulnerability that could allow a malicious peer to amplify per-message memory and parse cost on Zebra nodes, with effects amplified by multi-peer fan-in.

Each individual case is bounded by the 2 MiB transport ceiling or the block-size cap, so no single message causes unbounded allocation, but the cumulative gap between intended and actual limits is significant.

Affected Versions

All Zebra versions prior to 4.4.0.

Description

Zebra's network codec uses TrustedPreallocate and generic Vec deserialization to bound inbound message parsing. In several places the bound used at the deserializer was the generic transport or block-size ceiling rather than the tighter protocol or consensus rule that applies to the field, so allocation happened first and the real limit was only enforced afterwards. Four such cases were identified:

  • headers message receive cap. read_headers() deserialized the CountedHeader vector via the generic TrustedPreallocate path, which allowed up to ~1,409 entries per message. The protocol ceiling MAX_FIND_BLOCK_HEADERS_RESULTS = 160 was only used on the send side, giving an ~8.8x preallocation gap on receive. Reachable before the version handshake completes since the codec is installed on raw bytes.
  • Equihash solution length. Solution::zcash_deserialize decoded the solution as a generic Vec<u8> and only checked the exact consensus size (1344 bytes mainnet/testnet, 36 bytes regtest) afterwards in Solution::from_bytes. A single fixed-size header field could be inflated to nearly the full block-size ceiling before rejection.
  • Sapling spend vectors in coinbase transactions. V5 spend_prefixes and V4 shielded_spends were allocated generically with block-size-derived ceilings (~5,681 / ~5,208 entries) before the consensus rule that coinbase transactions have zero Sapling spends was enforced in the verifier.
  • Coinbase script bytes. Input::zcash_deserialize() read the coinbase script as a generic Vec<u8> up to the message-size cap before enforcing the consensus rule that coinbase scripts are between 2 and 100 bytes.

An attacker could exploit this by:

  • Opening an inbound TCP connection (and, for the latter three cases, completing the version handshake).
  • Sending one of: a headers message with a CompactSize count up to ~1,409, a block whose header carries an inflated equihash CompactSize, a tx declaring a coinbase input with a large nSpendsSapling, or a block with a coinbase input whose script length is near the message-size ceiling.
  • The deserializer allocates against the loose ceiling, parses, and only then rejects.

Fixed Versions

This issue is fixed in Zebra 4.4.0.

Mitigation

Users should upgrade to Zebra 4.4.0 or later immediately.

There are no known workarounds for this issue. Immediate upgrade is the only way to remove the amplified allocation surface on inbound peer messages.

Credits

Zebra thanks @Zk-nd3r for finding and reporting the issues.

Impact

Denial of Service

  • Attack Vector: Network.
  • Effect: Amplified per-message allocation and parse cost on inbound peer messages, stackable across concurrent connections. The concrete effect will be influenced by how much memory Zebra has available.
  • Scope: Any affected Zebra node.

The application allocates resources such as memory, threads, or file descriptors based on untrusted input without enforcing a cap. Typical impact: resource exhaustion leading to denial of service.

CVE-2026-44500 has a CVSS score of 5.3 (Medium). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (6.0.0, 4.4.0, 7.0.0); upgrading removes the vulnerable code path.

Affected versions

zebra-network (<= 5.0.2) zebrad (< 4.4.0) zebra-chain (<= 6.0.3)

Security releases

zebra-network → 6.0.0 (rust) zebrad → 4.4.0 (rust) zebra-chain → 7.0.0 (rust)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Upgrade the following packages to resolve this vulnerability:

zebra-network to 6.0.0 or later; zebrad to 4.4.0 or later; zebra-chain to 7.0.0 or later

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is CVE-2026-44500? CVE-2026-44500 is a medium-severity allocation of resources without limits or throttling vulnerability in zebra-network (rust), affecting versions <= 5.0.2. It is fixed in 6.0.0, 4.4.0, 7.0.0. The application allocates resources such as memory, threads, or file descriptors based on untrusted input without enforcing a cap.
  2. How severe is CVE-2026-44500? CVE-2026-44500 has a CVSS score of 5.3 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which packages are affected by CVE-2026-44500?
    • zebra-network (rust) (versions <= 5.0.2)
    • zebrad (rust) (versions < 4.4.0)
    • zebra-chain (rust) (versions <= 6.0.3)
  4. Is there a fix for CVE-2026-44500? Yes. CVE-2026-44500 is fixed in 6.0.0, 4.4.0, 7.0.0. Upgrade to this version or later.
  5. Is CVE-2026-44500 exploitable, and should I be worried? Whether CVE-2026-44500 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2026-44500 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2026-44500?
    • Upgrade zebra-network to 6.0.0 or later
    • Upgrade zebrad to 4.4.0 or later
    • Upgrade zebra-chain to 7.0.0 or later

Other vulnerabilities in zebra-network

CVE-2026-52829CVE-2026-40881

Stop the waste.
Protect your environment with Kodem.