CVE-2026-44499: Zebra has Permanent Block Discovery Halt via Gossip Queue Saturation and Syncer Poisoning

May 8, 2026

A composite denial-of-service vulnerability in Zebra’s block discovery pipeline allows an unauthenticated remote attacker to permanently halt all new block discovery on a targeted node. The attack exploits three independent weaknesses in the gossip, syncer, and download subsystems — all exercisable from a single TCP connection — to create a monotonically growing block deficit that never self-heals.

References

github.com/ZcashFoundation/zebra
github.com/ZcashFoundation/zebra/security/advisories/GHSA-h9hm-m2xj-4rq9
github.com/advisories/GHSA-h9hm-m2xj-4rq9
nvd.nist.gov/vuln/detail/CVE-2026-44499

Code Behaviors & Features

Detect and mitigate CVE-2026-44499 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →