CVE-2026-52829

CVE-2026-52829 is a high-severity type confusion vulnerability in zebra-network (rust), affecting versions <= 6.0.0. It is fixed in 7.0.0, 4.5.0.

Summary

Am I affected

You are affected if:

  1. You run zebrad up to and including v4.4.1.
  2. Your node listens on the default [::] address on a Linux host (the standard deployment configuration, net.ipv6.bindv6only=0 is the default on all common Linux distributions).
  3. Your node is synced near the chain tip (the expected production state for any node participating in the network).

An address normalization mismatch between the handshake path and the mempool misbehavior path causes a deterministic assertion panic when a peer connects via IPv4 to a dual-stack IPv6 listener and then triggers a mempool misbehavior penalty.

The handshake path canonicalizes IPv4-mapped IPv6 addresses to plain IPv4 when storing the peer in the address book via MetaAddr::new_connected. The mempool misbehavior path forwards the raw transient socket address (IPv4-mapped IPv6 form) when sending MetaAddrChange::UpdateMisbehavior to the address book. The address book looks up the canonical IPv4 entry but then asserts that the previous entry's address matches the change's address. The mismatch between the canonical IPv4 address and the raw IPv4-mapped IPv6 address triggers the assertion, and panic = "abort" terminates the process.

Details

On Linux with net.ipv6.bindv6only=0, an IPv4 connection accepted by a [::] listener is represented internally as an IPv4-mapped IPv6 socket address (e.g., ::ffff:127.0.0.1:8233). Zebra's canonical_peer_addr helper converts these to plain IPv4 (e.g., 127.0.0.1:8233).

The handshake path uses MetaAddr::new_connected, which canonicalizes the address before storing in the address book. However, inbound inventory registration uses connected_addr.get_transient_addr(), preserving the raw IPv4-mapped form. When the mempool later downloads an invalid transaction from this peer and generates a misbehavior penalty, the raw transient address is forwarded through the misbehavior channel to MetaAddrChange::UpdateMisbehavior, which does not canonicalize.

After the 30-second misbehavior batch flush, AddressBook::update retrieves the canonical IPv4 entry but MetaAddrChange::apply_to_meta_addr asserts that previous.addr == self.addr(), which fails because one is IPv4 and the other is IPv4-mapped IPv6.

The attacker needs only to complete a P2P handshake over IPv4 to a dual-stack listener and advertise an invalid mempool transaction (such as a coinbase transaction). The assertion fires after the 30-second misbehavior batch flush.

Workarounds

Configuring listen_addr to an IPv4-only address (e.g., 0.0.0.0:8233) avoids the IPv4-mapped IPv6 representation and prevents this specific assertion. Alternatively, setting net.ipv6.bindv6only=1 on Linux prevents dual-stack acceptance.

Credit

Reported by @Haxatron.

Impact

A remote unauthenticated peer can deterministically crash any synced Zebra node running the default Linux dual-stack configuration with a single invalid mempool transaction advertisement, followed by a 30-second wait. The attack requires no mining capability, no RPC access, no funds, and no special privileges. The crash can be repeated after each restart, causing persistent downtime. Linux dual-stack sockets and mempool activation are the default production state, not special preconditions.

An object is accessed using a type that is incompatible with its actual type, causing the runtime to interpret memory incorrectly. Typical impact: memory safety violations, unexpected behavior, or code execution.

CVE-2026-52829 has a CVSS score of 7.5 (High). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (7.0.0, 4.5.0); upgrading removes the vulnerable code path.

Affected versions

zebra-network (<= 6.0.0) zebrad (<= 4.4.1)

Security releases

zebra-network → 7.0.0 (rust) zebrad → 4.5.0 (rust)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Patched in Zebra 4.5.0. The fix canonicalizes the address in the misbehavior update path via a new MetaAddr::new_misbehavior constructor that applies canonical_peer_addr before creating the UpdateMisbehavior change.

Frequently Asked Questions

  1. What is CVE-2026-52829? CVE-2026-52829 is a high-severity type confusion vulnerability in zebra-network (rust), affecting versions <= 6.0.0. It is fixed in 7.0.0, 4.5.0. An object is accessed using a type that is incompatible with its actual type, causing the runtime to interpret memory incorrectly.
  2. How severe is CVE-2026-52829? CVE-2026-52829 has a CVSS score of 7.5 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which packages are affected by CVE-2026-52829?
    • zebra-network (rust) (versions <= 6.0.0)
    • zebrad (rust) (versions <= 4.4.1)
  4. Is there a fix for CVE-2026-52829? Yes. CVE-2026-52829 is fixed in 7.0.0, 4.5.0. Upgrade to this version or later.
  5. Is CVE-2026-52829 exploitable, and should I be worried? Whether CVE-2026-52829 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2026-52829 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2026-52829?
    • Upgrade zebra-network to 7.0.0 or later
    • Upgrade zebrad to 4.5.0 or later

Other vulnerabilities in zebra-network

CVE-2026-52829CVE-2026-40881

Stop the waste.
Protect your environment with Kodem.