CVE-2026-52732: zebrad has mempool transaction admission denial via single-peer inbound queue saturation
A single unauthenticated P2P peer can monopolize all 25 inbound mempool download/verification slots (MAX_INBOUND_CONCURRENCY) by advertising fake transaction IDs. While the slots are occupied, all other inbound transactions from honest peers and local RPC sendrawtransaction calls are rejected with MempoolError::FullQueue. The attacker peer is never scored for misbehavior and is not disconnected, allowing sustained denial of mempool admission.
References
Code Behaviors & Features
Detect and mitigate CVE-2026-52732 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →