CVE-2026-52736: Zebra has block suppression via NU5 same-header body poisoning of sent-hash cache
Zebra records a block hash in non_finalized_block_write_sent_hashes when the block is sent to the write task, before contextual validation completes. If validation fails, the hash is not removed. A remote unauthenticated peer can deliver a poisoned block body that shares a header hash with a later valid canonical block. The poisoned body is rejected, but the hash remains cached. When the valid canonical block arrives, Zebra treats it as a duplicate and rejects it. The node cannot advance past that height until restart or a reorg event.
References
- github.com/ZcashFoundation/zebra/blob/d4cd662c716382f6397d2a730148025a1ca79fec/zebra-state/src/service.rs
- github.com/ZcashFoundation/zebra/blob/d4cd662c716382f6397d2a730148025a1ca79fec/zebra-state/src/service.rs
- github.com/ZcashFoundation/zebra/security/advisories/GHSA-4m69-67m6-prqp
- github.com/advisories/GHSA-4m69-67m6-prqp
- nvd.nist.gov/vuln/detail/CVE-2026-52736
Code Behaviors & Features
Detect and mitigate CVE-2026-52736 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →