Summary
Am I affected
You are affected if:
- You run
zebradup to and includingv4.4.1. - Your node accepts inbound P2P connections (
network.listen_addris set, which is the default).
The P2P codec's Codec::decode() method calls src.reserve(body_len + HEADER_LEN) after parsing a 24-byte protocol header, using the attacker-claimed body_len field. This reserves up to MAX_PROTOCOL_MESSAGE_LEN (~2 MiB) of virtual buffer capacity per connection before any body bytes arrive and before the handshake completes.
However, BytesMut::reserve() sets virtual capacity without committing physical memory pages. The operating system does not allocate physical RAM until bytes are actually written into the buffer. Since the attacker never sends body bytes, the reserved capacity remains uncommitted. Reproduction of the reporter's PoC (256 threads, 30 seconds of sustained connections) showed negligible RSS impact on the Zebra process.
Zebra's existing mitigations further constrain the practical attack surface: per-IP connection limits (max_connections_per_ip = 1), a per-connection accept rate of approximately one per second, and a 3-second handshake timeout that cleans up idle connections.
Details
At zebra-network/src/protocol/external/codec.rs:406, after parsing the 24-byte header and validating the network magic and body length against MAX_PROTOCOL_MESSAGE_LEN, the codec calls src.reserve(body_len + HEADER_LEN). The codec is constructed on the bare TCP stream before negotiate_version() runs, so the reservation is reachable from any TCP peer that can send 24 bytes.
No legitimate Zcash handshake message (version, verack) is anywhere close to 2 MiB. The codec makes no distinction between pre-handshake and post-handshake message types when sizing the reservation.
Workarounds
No workaround is needed. The existing per-IP rate limiting, handshake timeout, and connection limits effectively mitigate the practical impact.
Credit
Reported by @ouicate via a private GitHub Security Advisory submission.
Impact
Minimal. The reservation affects virtual address space only, not physical memory. Zebra's existing connection-management mitigations (per-IP limits, accept rate, handshake timeout) further constrain the attack. The code path is worth cleaning up for defense-in-depth but does not produce a measurable denial-of-service effect.
The application allocates resources such as memory, threads, or file descriptors based on untrusted input without enforcing a cap. Typical impact: resource exhaustion leading to denial of service.
GHSA-H72H-PPCX-998P has a CVSS score of 3.7 (Low). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (7.0.0, 4.5.0); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
The fix defers large buffer reservations until after the handshake completes, or caps the per-message reservation for pre-handshake messages to what version/verack actually require.
Frequently Asked Questions
- What is GHSA-H72H-PPCX-998P? GHSA-H72H-PPCX-998P is a low-severity allocation of resources without limits or throttling vulnerability in zebra-network (rust), affecting versions <= 6.0.0. It is fixed in 7.0.0, 4.5.0. The application allocates resources such as memory, threads, or file descriptors based on untrusted input without enforcing a cap.
- How severe is GHSA-H72H-PPCX-998P? GHSA-H72H-PPCX-998P has a CVSS score of 3.7 (Low). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which packages are affected by GHSA-H72H-PPCX-998P?
zebra-network(rust) (versions <= 6.0.0)zebrad(rust) (versions <= 4.4.1)
- Is there a fix for GHSA-H72H-PPCX-998P? Yes. GHSA-H72H-PPCX-998P is fixed in 7.0.0, 4.5.0. Upgrade to this version or later.
- Is GHSA-H72H-PPCX-998P exploitable, and should I be worried? Whether GHSA-H72H-PPCX-998P is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether GHSA-H72H-PPCX-998P is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix GHSA-H72H-PPCX-998P?
- Upgrade
zebra-networkto 7.0.0 or later - Upgrade
zebradto 4.5.0 or later
- Upgrade