Advisory Database
  • Advisories
  • Dependency Scanning
  1. cargo
  2. ›
  3. zebra-state
  4. ›
  5. CVE-2026-52736

CVE-2026-52736: Zebra has block suppression via NU5 same-header body poisoning of sent-hash cache

July 2, 2026

Zebra records a block hash in non_finalized_block_write_sent_hashes when the block is sent to the write task, before contextual validation completes. If validation fails, the hash is not removed. A remote unauthenticated peer can deliver a poisoned block body that shares a header hash with a later valid canonical block. The poisoned body is rejected, but the hash remains cached. When the valid canonical block arrives, Zebra treats it as a duplicate and rejects it. The node cannot advance past that height until restart or a reorg event.

References

  • github.com/ZcashFoundation/zebra/blob/d4cd662c716382f6397d2a730148025a1ca79fec/zebra-state/src/service.rs
  • github.com/ZcashFoundation/zebra/blob/d4cd662c716382f6397d2a730148025a1ca79fec/zebra-state/src/service.rs
  • github.com/ZcashFoundation/zebra/security/advisories/GHSA-4m69-67m6-prqp
  • github.com/advisories/GHSA-4m69-67m6-prqp
  • nvd.nist.gov/vuln/detail/CVE-2026-52736

Code Behaviors & Features

Detect and mitigate CVE-2026-52736 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →

Affected versions

All versions before 7.0.0

Fixed versions

  • 7.0.0

Solution

Upgrade to version 7.0.0 or above.

Impact 7.5 HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Learn more about CVSS

Weakness

  • CWE-459: Incomplete Cleanup

Source file

cargo/zebra-state/CVE-2026-52736.yml

Spotted a mistake? Edit the file on GitLab.

  • Site Repo
  • About GitLab
  • Terms
  • Privacy Statement
  • Contact

Page generated Fri, 03 Jul 2026 12:18:24 +0000.