CVE-2026-52734: zebrad has unbounded memory leak in mempool download pipeline via timeout path cancel_handles retention
The mempool download pipeline’s cancel_handles map retains entries for transactions whose verification times out at the outer RATE_LIMIT_DELAY (73-second) boundary. The tokio::time::error::Elapsed error carries no payload, so the transaction ID is unrecoverable and the corresponding cancel_handles entry (including the full Gossip::Tx(UnminedTx), up to ~2 MB) is never removed. Entries accumulate monotonically with no upper bound or garbage collection, leading to eventual out-of-memory process termination.
References
- github.com/ZcashFoundation/zebra/blob/d4cd662c716382f6397d2a730148025a1ca79fec/zebrad/src/components/mempool.rs
- github.com/ZcashFoundation/zebra/blob/d4cd662c716382f6397d2a730148025a1ca79fec/zebrad/src/components/mempool/downloads.rs
- github.com/ZcashFoundation/zebra/security/advisories/GHSA-65jj-fmw8-468q
- github.com/advisories/GHSA-65jj-fmw8-468q
- nvd.nist.gov/vuln/detail/CVE-2026-52734
Code Behaviors & Features
Detect and mitigate CVE-2026-52734 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →