CVE-2026-44500 (GCVE-0-2026-44500)

Vulnerability from cvelistv5 – Published: 2026-05-08 15:10 – Updated: 2026-05-08 19:41

Title

ZEBRA: Allocation Amplification in Inbound Network Deserializers

Summary

ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.4.0, prior to zebra-chain version 7.0.0, and prior to zebra-network version 6.0.0, several inbound deserialization paths in Zebra allocated buffers sized against generic transport or block-size ceilings before the tighter protocol or consensus limits were enforced. An unauthenticated or post-handshake peer could therefore force the node to preallocate and parse for orders of magnitude more data than the protocol intended, across headers messages, equihash solutions in block headers, Sapling spend vectors in V5/V4 transactions, and coinbase script bytes in blocks. This issue has been patched in zebrad version 4.4.0, zebra-chain version 7.0.0, and zebra-network version 6.0.0.

Severity ?

5.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE

CWE-770 - Allocation of Resources Without Limits or Throttling

Assigner

GitHub_M

References

URL

Tags

https://github.com/ZcashFoundation/zebra/security…

x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	ZcashFoundation	zebra	Affected: zebrad < 4.4.0 Affected: zebra-chain < 7.0.0 Affected: zebra-network < 6.0.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-44500",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-08T19:41:23.974951Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-08T19:41:46.471Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "zebra",
          "vendor": "ZcashFoundation",
          "versions": [
            {
              "status": "affected",
              "version": "zebrad \u003c 4.4.0"
            },
            {
              "status": "affected",
              "version": "zebra-chain \u003c 7.0.0"
            },
            {
              "status": "affected",
              "version": "zebra-network \u003c 6.0.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.4.0, prior to zebra-chain version 7.0.0, and prior to zebra-network version 6.0.0, several inbound deserialization paths in Zebra allocated buffers sized against generic transport or block-size ceilings before the tighter protocol or consensus limits were enforced. An unauthenticated or post-handshake peer could therefore force the node to preallocate and parse for orders of magnitude more data than the protocol intended, across headers messages, equihash solutions in block headers, Sapling spend vectors in V5/V4 transactions, and coinbase script bytes in blocks. This issue has been patched in zebrad version 4.4.0, zebra-chain version 7.0.0, and zebra-network version 6.0.0."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-770",
              "description": "CWE-770: Allocation of Resources Without Limits or Throttling",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-08T15:10:21.516Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-438q-jx8f-cccv",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-438q-jx8f-cccv"
        }
      ],
      "source": {
        "advisory": "GHSA-438q-jx8f-cccv",
        "discovery": "UNKNOWN"
      },
      "title": "ZEBRA: Allocation Amplification in Inbound Network Deserializers"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-44500",
    "datePublished": "2026-05-08T15:10:21.516Z",
    "dateReserved": "2026-05-06T18:28:20.886Z",
    "dateUpdated": "2026-05-08T19:41:46.471Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-44500",
      "date": "2026-05-09",
      "epss": "0.00047",
      "percentile": "0.14468"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-44500\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-05-08T15:17:01.777\",\"lastModified\":\"2026-05-08T18:01:52.567\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.4.0, prior to zebra-chain version 7.0.0, and prior to zebra-network version 6.0.0, several inbound deserialization paths in Zebra allocated buffers sized against generic transport or block-size ceilings before the tighter protocol or consensus limits were enforced. An unauthenticated or post-handshake peer could therefore force the node to preallocate and parse for orders of magnitude more data than the protocol intended, across headers messages, equihash solutions in block headers, Sapling spend vectors in V5/V4 transactions, and coinbase script bytes in blocks. This issue has been patched in zebrad version 4.4.0, zebra-chain version 7.0.0, and zebra-network version 6.0.0.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-770\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:zfnd:zebra-chain:*:*:*:*:*:rust:*:*\",\"versionEndExcluding\":\"7.0.0\",\"matchCriteriaId\":\"6BF3BDC0-FD8D-4265-B8BC-139BF28710E2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:zfnd:zebra-network:*:*:*:*:*:rust:*:*\",\"versionEndExcluding\":\"6.0.0\",\"matchCriteriaId\":\"8E807203-EE55-46B2-8CD1-29047653BCFF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:zfnd:zebrad:*:*:*:*:*:rust:*:*\",\"versionEndExcluding\":\"4.4.0\",\"matchCriteriaId\":\"23232F98-CB60-4B90-B46A-430E3E1CE10B\"}]}]}],\"references\":[{\"url\":\"https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-438q-jx8f-cccv\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-44500\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-05-08T19:41:23.974951Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-05-08T19:41:36.043Z\"}}], \"cna\": {\"title\": \"ZEBRA: Allocation Amplification in Inbound Network Deserializers\", \"source\": {\"advisory\": \"GHSA-438q-jx8f-cccv\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"ZcashFoundation\", \"product\": \"zebra\", \"versions\": [{\"status\": \"affected\", \"version\": \"zebrad \u003c 4.4.0\"}, {\"status\": \"affected\", \"version\": \"zebra-chain \u003c 7.0.0\"}, {\"status\": \"affected\", \"version\": \"zebra-network \u003c 6.0.0\"}]}], \"references\": [{\"url\": \"https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-438q-jx8f-cccv\", \"name\": \"https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-438q-jx8f-cccv\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.4.0, prior to zebra-chain version 7.0.0, and prior to zebra-network version 6.0.0, several inbound deserialization paths in Zebra allocated buffers sized against generic transport or block-size ceilings before the tighter protocol or consensus limits were enforced. An unauthenticated or post-handshake peer could therefore force the node to preallocate and parse for orders of magnitude more data than the protocol intended, across headers messages, equihash solutions in block headers, Sapling spend vectors in V5/V4 transactions, and coinbase script bytes in blocks. This issue has been patched in zebrad version 4.4.0, zebra-chain version 7.0.0, and zebra-network version 6.0.0.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-770\", \"description\": \"CWE-770: Allocation of Resources Without Limits or Throttling\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-05-08T15:10:21.516Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-44500\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-05-08T19:41:46.471Z\", \"dateReserved\": \"2026-05-06T18:28:20.886Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-05-08T15:10:21.516Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-44500

Vulnerability from fkie_nvd - Published: 2026-05-08 15:17 - Updated: 2026-05-08 18:01

Severity ?

5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-438q-jx8f-cccv	Exploit, Vendor Advisory

Impacted products

Vendor	Product	Version
zfnd	zebra-chain	*
zfnd	zebra-network	*
zfnd	zebrad	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:zfnd:zebra-chain:*:*:*:*:*:rust:*:*",
              "matchCriteriaId": "6BF3BDC0-FD8D-4265-B8BC-139BF28710E2",
              "versionEndExcluding": "7.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zfnd:zebra-network:*:*:*:*:*:rust:*:*",
              "matchCriteriaId": "8E807203-EE55-46B2-8CD1-29047653BCFF",
              "versionEndExcluding": "6.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zfnd:zebrad:*:*:*:*:*:rust:*:*",
              "matchCriteriaId": "23232F98-CB60-4B90-B46A-430E3E1CE10B",
              "versionEndExcluding": "4.4.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.4.0, prior to zebra-chain version 7.0.0, and prior to zebra-network version 6.0.0, several inbound deserialization paths in Zebra allocated buffers sized against generic transport or block-size ceilings before the tighter protocol or consensus limits were enforced. An unauthenticated or post-handshake peer could therefore force the node to preallocate and parse for orders of magnitude more data than the protocol intended, across headers messages, equihash solutions in block headers, Sapling spend vectors in V5/V4 transactions, and coinbase script bytes in blocks. This issue has been patched in zebrad version 4.4.0, zebra-chain version 7.0.0, and zebra-network version 6.0.0."
    }
  ],
  "id": "CVE-2026-44500",
  "lastModified": "2026-05-08T18:01:52.567",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 5.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 1.4,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-05-08T15:17:01.777",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-438q-jx8f-cccv"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-770"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

GHSA-438Q-JX8F-CCCV

Vulnerability from github – Published: 2026-05-07 20:55 – Updated: 2026-05-07 20:55

Summary

Zebra Vulnerable to Allocation Amplification in Inbound Network Deserializers

Details

CVE-2026-44500: Allocation Amplification in Inbound Network Deserializers

Summary

Several inbound deserialization paths in Zebra allocated buffers sized against generic transport or block-size ceilings before the tighter protocol or consensus limits were enforced. An unauthenticated or post-handshake peer could therefore force the node to preallocate and parse for orders of magnitude more data than the protocol intended, across headers messages, equihash solutions in block headers, Sapling spend vectors in V5/V4 transactions, and coinbase script bytes in blocks.

Severity

Moderate - This is a Denial-of-Service Vulnerability that could allow a malicious peer to amplify per-message memory and parse cost on Zebra nodes, with effects amplified by multi-peer fan-in.

Each individual case is bounded by the 2 MiB transport ceiling or the block-size cap, so no single message causes unbounded allocation, but the cumulative gap between intended and actual limits is significant.

Affected Versions

All Zebra versions prior to 4.4.0.

Description

Zebra's network codec uses TrustedPreallocate and generic Vec deserialization to bound inbound message parsing. In several places the bound used at the deserializer was the generic transport or block-size ceiling rather than the tighter protocol or consensus rule that applies to the field, so allocation happened first and the real limit was only enforced afterwards. Four such cases were identified:

headers message receive cap. read_headers() deserialized the CountedHeader vector via the generic TrustedPreallocate path, which allowed up to ~1,409 entries per message. The protocol ceiling MAX_FIND_BLOCK_HEADERS_RESULTS = 160 was only used on the send side, giving an ~8.8x preallocation gap on receive. Reachable before the version handshake completes since the codec is installed on raw bytes.
Equihash solution length. Solution::zcash_deserialize decoded the solution as a generic Vec<u8> and only checked the exact consensus size (1344 bytes mainnet/testnet, 36 bytes regtest) afterwards in Solution::from_bytes. A single fixed-size header field could be inflated to nearly the full block-size ceiling before rejection.
Sapling spend vectors in coinbase transactions. V5 spend_prefixes and V4 shielded_spends were allocated generically with block-size-derived ceilings (~5,681 / ~5,208 entries) before the consensus rule that coinbase transactions have zero Sapling spends was enforced in the verifier.
Coinbase script bytes. Input::zcash_deserialize() read the coinbase script as a generic Vec<u8> up to the message-size cap before enforcing the consensus rule that coinbase scripts are between 2 and 100 bytes.

An attacker could exploit this by:

Opening an inbound TCP connection (and, for the latter three cases, completing the version handshake).
Sending one of: a headers message with a CompactSize count up to ~1,409, a block whose header carries an inflated equihash CompactSize, a tx declaring a coinbase input with a large nSpendsSapling, or a block with a coinbase input whose script length is near the message-size ceiling.
The deserializer allocates against the loose ceiling, parses, and only then rejects.

Impact

Denial of Service

Attack Vector: Network.
Effect: Amplified per-message allocation and parse cost on inbound peer messages, stackable across concurrent connections. The concrete effect will be influenced by how much memory Zebra has available.
Scope: Any affected Zebra node.

Fixed Versions

This issue is fixed in Zebra 4.4.0.

Mitigation

Users should upgrade to Zebra 4.4.0 or later immediately.

There are no known workarounds for this issue. Immediate upgrade is the only way to remove the amplified allocation surface on inbound peer messages.

Credits

Zebra thanks @Zk-nd3r for finding and reporting the issues.

Severity ?

5.3 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 5.0.2"
      },
      "package": {
        "ecosystem": "crates.io",
        "name": "zebra-network"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "zebrad"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.4.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 6.0.3"
      },
      "package": {
        "ecosystem": "crates.io",
        "name": "zebra-chain"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "7.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44500"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-770"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-07T20:55:28Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "# CVE-2026-44500: Allocation Amplification in Inbound Network Deserializers\n\n## Summary\n\nSeveral inbound deserialization paths in Zebra allocated buffers sized against generic transport or block-size ceilings before the tighter protocol or consensus limits were enforced. An unauthenticated or post-handshake peer could therefore force the node to preallocate and parse for orders of magnitude more data than the protocol intended, across `headers` messages, equihash solutions in block headers, Sapling spend vectors in V5/V4 transactions, and coinbase script bytes in blocks.\n\n## Severity\n\n**Moderate** - This is a Denial-of-Service Vulnerability that could allow a malicious peer to amplify per-message memory and parse cost on Zebra nodes, with effects amplified by multi-peer fan-in.\n\nEach individual case is bounded by the 2 MiB transport ceiling or the block-size cap, so no single message causes unbounded allocation, but the cumulative gap between intended and actual limits is significant.\n\n## Affected Versions\n\nAll Zebra versions prior to 4.4.0.\n\n## Description\n\nZebra\u0027s network codec uses `TrustedPreallocate` and generic `Vec` deserialization to bound inbound message parsing. In several places the bound used at the deserializer was the generic transport or block-size ceiling rather than the tighter protocol or consensus rule that applies to the field, so allocation happened first and the real limit was only enforced afterwards. Four such cases were identified:\n\n- **`headers` message receive cap.** `read_headers()` deserialized the `CountedHeader` vector via the generic `TrustedPreallocate` path, which allowed up to ~1,409 entries per message. The protocol ceiling `MAX_FIND_BLOCK_HEADERS_RESULTS = 160` was only used on the send side, giving an ~8.8x preallocation gap on receive. Reachable before the version handshake completes since the codec is installed on raw bytes.\n- **Equihash solution length.** `Solution::zcash_deserialize` decoded the solution as a generic `Vec\u003cu8\u003e` and only checked the exact consensus size (1344 bytes mainnet/testnet, 36 bytes regtest) afterwards in `Solution::from_bytes`. A single fixed-size header field could be inflated to nearly the full block-size ceiling before rejection.\n- **Sapling spend vectors in coinbase transactions.** V5 `spend_prefixes` and V4 `shielded_spends` were allocated generically with block-size-derived ceilings (~5,681 / ~5,208 entries) before the consensus rule that coinbase transactions have zero Sapling spends was enforced in the verifier.\n- **Coinbase script bytes.** `Input::zcash_deserialize()` read the coinbase script as a generic `Vec\u003cu8\u003e` up to the message-size cap before enforcing the consensus rule that coinbase scripts are between 2 and 100 bytes.\n\nAn attacker could exploit this by:\n\n- Opening an inbound TCP connection (and, for the latter three cases, completing the version handshake).\n- Sending one of: a `headers` message with a CompactSize count up to ~1,409, a `block` whose header carries an inflated equihash CompactSize, a `tx` declaring a coinbase input with a large `nSpendsSapling`, or a `block` with a coinbase input whose script length is near the message-size ceiling.\n- The deserializer allocates against the loose ceiling, parses, and only then rejects.\n\n## Impact\n\n**Denial of Service**\n\n- **Attack Vector:** Network.\n- **Effect:** Amplified per-message allocation and parse cost on inbound peer messages, stackable across concurrent connections. The concrete effect will be influenced by how much memory Zebra has available.\n- **Scope:** Any affected Zebra node.\n\n## Fixed Versions\n\nThis issue is fixed in Zebra 4.4.0.\n\n## Mitigation\n\nUsers should upgrade to Zebra 4.4.0 or later immediately.\n\nThere are no known workarounds for this issue. Immediate upgrade is the only way to remove the amplified allocation surface on inbound peer messages.\n\n## Credits\n\nZebra thanks @Zk-nd3r for finding and reporting the issues.",
  "id": "GHSA-438q-jx8f-cccv",
  "modified": "2026-05-07T20:55:28Z",
  "published": "2026-05-07T20:55:28Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-438q-jx8f-cccv"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ZcashFoundation/zebra"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ZcashFoundation/zebra/releases/tag/v4.4.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Zebra Vulnerable to Allocation Amplification in Inbound Network Deserializers"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-44500 (GCVE-0-2026-44500)

FKIE_CVE-2026-44500

GHSA-438Q-JX8F-CCCV

CVE-2026-44500: Allocation Amplification in Inbound Network Deserializers

Summary

Severity

Affected Versions

Description

Impact

Fixed Versions

Mitigation

Credits

Tags

Sightings

Nomenclature