CVE-2026-44500: Zebra Vulnerable to Allocation Amplification in Inbound Network Deserializers

May 7, 2026

Several inbound deserialization paths in Zebra allocated buffers sized against generic transport or block-size ceilings before the tighter protocol or consensus limits were enforced. An unauthenticated or post-handshake peer could therefore force the node to preallocate and parse for orders of magnitude more data than the protocol intended, across headers messages, equihash solutions in block headers, Sapling spend vectors in V5/V4 transactions, and coinbase script bytes in blocks.

References

github.com/ZcashFoundation/zebra
github.com/ZcashFoundation/zebra/releases/tag/v4.4.0
github.com/ZcashFoundation/zebra/security/advisories/GHSA-438q-jx8f-cccv
github.com/advisories/GHSA-438q-jx8f-cccv
nvd.nist.gov/vuln/detail/CVE-2026-44500

Code Behaviors & Features

Detect and mitigate CVE-2026-44500 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →