CVE-2026-40881: Zebra: addr/addrv2 Deserialization Resource Exhaustion

April 18, 2026

When deserializing addr or addrv2 messages, which contain vectors of addresses, Zebra would fully deserialize them up to a maximum length (over 233,000) that was derived from the 2 MiB message size limit. This is much larger than the actual limit of 1,000 messages from the specification. Zebra would eventually check that limit but, at that point, the memory for the larger vector was already allocated. An attacker could cause out-of-memory aborts in Zebra by sending multiple such messages over different connections.

References

github.com/ZcashFoundation/zebra
github.com/ZcashFoundation/zebra/security/advisories/GHSA-xr93-pcq3-pxf8
github.com/advisories/GHSA-xr93-pcq3-pxf8
nvd.nist.gov/vuln/detail/CVE-2026-40881

Code Behaviors & Features

Detect and mitigate CVE-2026-40881 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →