Vulnerability-Lookup

CVE-2026-41585 (GCVE-0-2026-41585)

Vulnerability from cvelistv5 – Published: 2026-05-08 15:06 – Updated: 2026-05-08 21:27

Title

ZEBRA: Denial of Service via Interrupted JSON-RPC Requests from Authenticated Clients

Summary

ZEBRA is a Zcash node written entirely in Rust. From zebrad versions 2.2.0 to before 4.3.1 and from zebra-rpc versions 1.0.0-beta.45 to before 6.0.2, a vulnerability in Zebra's JSON-RPC HTTP middleware allows an authenticated RPC client to cause a Zebra node to crash by disconnecting before the request body is fully received. The node treats the failure to read the HTTP request body as an unrecoverable error and aborts the process instead of returning an error response. This issue has been patched in zebrad version 4.3.1 and zebra-rpc version 6.0.2.

Severity ?

6.9 (Medium)


                        
                          CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H

CWE

CWE-248 - Uncaught Exception
CWE-617 - Reachable Assertion

Assigner

GitHub_M

References

URL

Tags

https://github.com/ZcashFoundation/zebra/security…

x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	ZcashFoundation	zebra	Affected: zebra-rpc >= 1.0.0-beta.45, < 6.0.2 Affected: zebrad >= 2.2.0, < 4.3.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-41585",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-08T17:12:44.201512Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-08T21:27:04.066Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "zebra",
          "vendor": "ZcashFoundation",
          "versions": [
            {
              "status": "affected",
              "version": "zebra-rpc \u003e= 1.0.0-beta.45, \u003c 6.0.2"
            },
            {
              "status": "affected",
              "version": "zebrad \u003e= 2.2.0, \u003c 4.3.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "ZEBRA is a Zcash node written entirely in Rust. From zebrad versions 2.2.0 to before 4.3.1 and from zebra-rpc versions 1.0.0-beta.45 to before 6.0.2, a vulnerability in Zebra\u0027s JSON-RPC HTTP middleware allows an authenticated RPC client to cause a Zebra node to crash by disconnecting before the request body is fully received. The node treats the failure to read the HTTP request body as an unrecoverable error and aborts the process instead of returning an error response. This issue has been patched in zebrad version 4.3.1 and zebra-rpc version 6.0.2."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 6.9,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "HIGH",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-248",
              "description": "CWE-248: Uncaught Exception",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-617",
              "description": "CWE-617: Reachable Assertion",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-08T15:06:15.309Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-29x4-r6jv-ff4w",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-29x4-r6jv-ff4w"
        }
      ],
      "source": {
        "advisory": "GHSA-29x4-r6jv-ff4w",
        "discovery": "UNKNOWN"
      },
      "title": "ZEBRA: Denial of Service via Interrupted JSON-RPC Requests from Authenticated Clients"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-41585",
    "datePublished": "2026-05-08T15:06:15.309Z",
    "dateReserved": "2026-04-21T14:15:21.959Z",
    "dateUpdated": "2026-05-08T21:27:04.066Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-41585",
      "date": "2026-05-09",
      "epss": "0.0004",
      "percentile": "0.12243"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-41585\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-05-08T15:16:41.400\",\"lastModified\":\"2026-05-08T18:19:56.697\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"ZEBRA is a Zcash node written entirely in Rust. From zebrad versions 2.2.0 to before 4.3.1 and from zebra-rpc versions 1.0.0-beta.45 to before 6.0.2, a vulnerability in Zebra\u0027s JSON-RPC HTTP middleware allows an authenticated RPC client to cause a Zebra node to crash by disconnecting before the request body is fully received. The node treats the failure to read the HTTP request body as an unrecoverable error and aborts the process instead of returning an error response. This issue has been patched in zebrad version 4.3.1 and zebra-rpc version 6.0.2.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":6.9,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"PRESENT\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"HIGH\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"HIGH\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-248\"},{\"lang\":\"en\",\"value\":\"CWE-617\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:zfnd:zebra-rpc:*:*:*:*:*:rust:*:*\",\"versionStartIncluding\":\"2.0.0\",\"versionEndExcluding\":\"6.0.2\",\"matchCriteriaId\":\"FBE8A429-C046-4D22-BBD3-0BC4CB5B08F8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:zfnd:zebra-rpc:1.0.0:-:*:*:*:rust:*:*\",\"matchCriteriaId\":\"B3450E7E-A67B-409B-ACDA-AA7CE6B95E30\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:zfnd:zebra-rpc:1.0.0:beta45:*:*:*:rust:*:*\",\"matchCriteriaId\":\"62776E2E-81A5-4269-A19D-4983D2336425\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:zfnd:zebra-rpc:1.0.0:beta46:*:*:*:rust:*:*\",\"matchCriteriaId\":\"6D766D1A-302B-4F72-A7A7-170E766D6241\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:zfnd:zebrad:*:*:*:*:*:rust:*:*\",\"versionStartIncluding\":\"2.2.0\",\"versionEndExcluding\":\"4.3.1\",\"matchCriteriaId\":\"FDF085CF-E73B-4993-A287-FBE9D92385D9\"}]}]}],\"references\":[{\"url\":\"https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-29x4-r6jv-ff4w\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\",\"Mitigation\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-41585\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-05-08T17:12:44.201512Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-05-08T17:12:47.835Z\"}}], \"cna\": {\"title\": \"ZEBRA: Denial of Service via Interrupted JSON-RPC Requests from Authenticated Clients\", \"source\": {\"advisory\": \"GHSA-29x4-r6jv-ff4w\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 6.9, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"HIGH\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"HIGH\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"ZcashFoundation\", \"product\": \"zebra\", \"versions\": [{\"status\": \"affected\", \"version\": \"zebra-rpc \u003e= 1.0.0-beta.45, \u003c 6.0.2\"}, {\"status\": \"affected\", \"version\": \"zebrad \u003e= 2.2.0, \u003c 4.3.1\"}]}], \"references\": [{\"url\": \"https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-29x4-r6jv-ff4w\", \"name\": \"https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-29x4-r6jv-ff4w\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"ZEBRA is a Zcash node written entirely in Rust. From zebrad versions 2.2.0 to before 4.3.1 and from zebra-rpc versions 1.0.0-beta.45 to before 6.0.2, a vulnerability in Zebra\u0027s JSON-RPC HTTP middleware allows an authenticated RPC client to cause a Zebra node to crash by disconnecting before the request body is fully received. The node treats the failure to read the HTTP request body as an unrecoverable error and aborts the process instead of returning an error response. This issue has been patched in zebrad version 4.3.1 and zebra-rpc version 6.0.2.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-248\", \"description\": \"CWE-248: Uncaught Exception\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-617\", \"description\": \"CWE-617: Reachable Assertion\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-05-08T15:06:15.309Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-41585\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-05-08T21:27:04.066Z\", \"dateReserved\": \"2026-04-21T14:15:21.959Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-05-08T15:06:15.309Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-41585

Vulnerability from fkie_nvd - Published: 2026-05-08 15:16 - Updated: 2026-05-08 18:19

Severity ?

6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-29x4-r6jv-ff4w	Vendor Advisory, Mitigation

Impacted products

Vendor	Product	Version
zfnd	zebra-rpc	*
zfnd	zebra-rpc	1.0.0
zfnd	zebra-rpc	1.0.0
zfnd	zebra-rpc	1.0.0
zfnd	zebrad	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:zfnd:zebra-rpc:*:*:*:*:*:rust:*:*",
              "matchCriteriaId": "FBE8A429-C046-4D22-BBD3-0BC4CB5B08F8",
              "versionEndExcluding": "6.0.2",
              "versionStartIncluding": "2.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zfnd:zebra-rpc:1.0.0:-:*:*:*:rust:*:*",
              "matchCriteriaId": "B3450E7E-A67B-409B-ACDA-AA7CE6B95E30",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zfnd:zebra-rpc:1.0.0:beta45:*:*:*:rust:*:*",
              "matchCriteriaId": "62776E2E-81A5-4269-A19D-4983D2336425",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zfnd:zebra-rpc:1.0.0:beta46:*:*:*:rust:*:*",
              "matchCriteriaId": "6D766D1A-302B-4F72-A7A7-170E766D6241",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zfnd:zebrad:*:*:*:*:*:rust:*:*",
              "matchCriteriaId": "FDF085CF-E73B-4993-A287-FBE9D92385D9",
              "versionEndExcluding": "4.3.1",
              "versionStartIncluding": "2.2.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "ZEBRA is a Zcash node written entirely in Rust. From zebrad versions 2.2.0 to before 4.3.1 and from zebra-rpc versions 1.0.0-beta.45 to before 6.0.2, a vulnerability in Zebra\u0027s JSON-RPC HTTP middleware allows an authenticated RPC client to cause a Zebra node to crash by disconnecting before the request body is fully received. The node treats the failure to read the HTTP request body as an unrecoverable error and aborts the process instead of returning an error response. This issue has been patched in zebrad version 4.3.1 and zebra-rpc version 6.0.2."
    }
  ],
  "id": "CVE-2026-41585",
  "lastModified": "2026-05-08T18:19:56.697",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "PRESENT",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 6.9,
          "baseSeverity": "MEDIUM",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "HIGH",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "HIGH",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "HIGH",
          "vulnConfidentialityImpact": "NONE",
          "vulnIntegrityImpact": "NONE",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-05-08T15:16:41.400",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Vendor Advisory",
        "Mitigation"
      ],
      "url": "https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-29x4-r6jv-ff4w"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-248"
        },
        {
          "lang": "en",
          "value": "CWE-617"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

GHSA-29X4-R6JV-FF4W

Vulnerability from github – Published: 2026-04-18 01:15 – Updated: 2026-04-27 18:20

Summary

Zebra Vulnerable to Denial of Service via Interrupted JSON-RPC Requests from Authenticated Clients

Details

A vulnerability in Zebra's JSON-RPC HTTP middleware allows an authenticated RPC client to cause a Zebra node to crash by disconnecting before the request body is fully received. The node treats the failure to read the HTTP request body as an unrecoverable error and aborts the process instead of returning an error response.

Severity

Moderate - This is a Denial of Service (DoS) that requires a client capable of passing Zebra's cookie authentication, which is enabled by default.

Affected Versions

zebrad: versions from 2.2.0 up to (but not including) 4.3.1
zebra-rpc: versions from 1.0.0-beta.45 up to (but not including) 6.0.2

Description

Zebra's JSON-RPC HTTP middleware treated a failure to read the incoming HTTP request body as an unrecoverable error, aborting the process rather than returning an error response. A client that disconnected after sending only part of a request body, for example, by resetting the TCP connection mid-transfer, was sufficient to trigger the crash. The vulnerability could be exploited only by authenticated RPC clients. Nodes running the shipped defaults, with RPC bound to localhost and cookie authentication on, were not vulnerable.

Impact

Denial of Service * Attack Vector: Network, authenticated (requires a valid RPC cookie when cookie authentication is enabled). * Effect: Immediate crash of the Zebra node. * Scope: Any node whose RPC interface is reachable by a client with valid credentials, or any node with cookie authentication disabled and an exposed RPC interface.

Fixed Versions

This issue is fixed in Zebra 4.3.1 (crate zebra-rpc 6.0.2).

The fix propagates failures to read the HTTP request body as ordinary error responses, so Zebra now rejects truncated or interrupted requests rather than crashing.

Mitigation

Users should upgrade to Zebra 4.3.1 or later.

If an immediate upgrade is not possible, users should ensure their RPC port is not exposed to untrusted networks and that cookie authentication remains enabled (the default).

References

Zebra 4.3.1 Release Announcement

Credits

Thanks to shieldedonly who discovered this issue and reported it via our coordinated disclosure process.

Severity ?

6.9 (Medium)


                  
                    CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "zebra-rpc"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.0.0-beta.45"
            },
            {
              "fixed": "6.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "zebrad"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.2.0"
            },
            {
              "fixed": "4.3.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-41585"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-248",
      "CWE-617"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-18T01:15:10Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "A vulnerability in Zebra\u0027s JSON-RPC HTTP middleware allows an authenticated RPC client to cause a Zebra node to crash by disconnecting before the request body is fully received. The node treats the failure to read the HTTP request body as an unrecoverable error and aborts the process instead of returning an error response.\n\n## Severity\n**Moderate** - This is a Denial of Service (DoS) that requires a client capable of passing Zebra\u0027s cookie authentication, which is enabled by default.\n\n## Affected Versions\n- `zebrad`: versions from **2.2.0** up to (but not including) **4.3.1**\n- `zebra-rpc`: versions from **1.0.0-beta.45** up to (but not including) **6.0.2**\n\n## Description\n\nZebra\u0027s JSON-RPC HTTP middleware treated a failure to read the incoming HTTP request body as an unrecoverable error, aborting the process rather than returning an error response. A client that disconnected after sending only part of a request body, for example, by resetting the TCP connection mid-transfer, was sufficient to trigger the crash. The vulnerability could be exploited only by authenticated RPC clients. Nodes running the shipped defaults, with RPC bound to localhost and cookie authentication on, were not vulnerable.\n\n## Impact\n**Denial of Service**\n* **Attack Vector:** Network, authenticated (requires a valid RPC cookie when cookie authentication is enabled).\n* **Effect:** Immediate crash of the Zebra node.\n* **Scope:** Any node whose RPC interface is reachable by a client with valid credentials, or any node with cookie authentication disabled and an exposed RPC interface.\n\n## Fixed Versions\nThis issue is fixed in **Zebra 4.3.1** (crate `zebra-rpc` 6.0.2).\n\nThe fix propagates failures to read the HTTP request body as ordinary error responses, so Zebra now rejects truncated or interrupted requests rather than crashing.\n\n## Mitigation\nUsers should upgrade to **Zebra 4.3.1** or later.\n\nIf an immediate upgrade is not possible, users should ensure their RPC port is not exposed to untrusted networks and that cookie authentication remains enabled (the default).\n\n## References\n* [Zebra 4.3.1 Release Announcement](https://zfnd.org/)\n\n## Credits\nThanks to [shieldedonly](https://github.com/shieldedonly) who discovered this issue and reported it via our coordinated disclosure process.",
  "id": "GHSA-29x4-r6jv-ff4w",
  "modified": "2026-04-27T18:20:10Z",
  "published": "2026-04-18T01:15:10Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-29x4-r6jv-ff4w"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ZcashFoundation/zebra"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Zebra Vulnerable to Denial of Service via Interrupted JSON-RPC Requests from Authenticated Clients"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-41585 (GCVE-0-2026-41585)

FKIE_CVE-2026-41585

GHSA-29X4-R6JV-FF4W

Severity

Affected Versions

Description

Impact

Fixed Versions

Mitigation

References

Credits

Tags

Sightings

Nomenclature