Advisory Database
  • Advisories
  • Dependency Scanning
  1. cargo
  2. ›
  3. zebrad
  4. ›
  5. GHSA-443g-gwgp-49x4

GHSA-443g-gwgp-49x4: zebrad vulnerable to getblocks/getheaders locator CPU amplification via uncapped vector length

July 2, 2026

The read_getblocks and read_getheaders codec paths accepted block locator vectors up to approximately 65,535 entries (the generic TrustedPreallocate ceiling derived from MAX_PROTOCOL_MESSAGE_LEN), rather than the protocol-specification limit of 101 entries (matching zcashd’s MAX_LOCATOR_SZ). Each entry in the locator vector triggers a per-hash chain lookup (HashMap::contains_key + RocksDB::contains_hash) in find_chain_intersection on a tokio blocking-pool thread.

A single maximally-sized getblocks message occupies one blocking-pool thread for approximately 10–65ms. Under sustained load from multiple peers, this can degrade state-read performance for block validation, RPC, and mempool lookups.

References

  • github.com/ZcashFoundation/zebra/commit/8981a1b95d4807cad99e5bb3b94fc8bc723ac033
  • github.com/ZcashFoundation/zebra/pull/10570
  • github.com/ZcashFoundation/zebra/security/advisories/GHSA-443g-gwgp-49x4
  • github.com/advisories/GHSA-443g-gwgp-49x4

Code Behaviors & Features

Detect and mitigate GHSA-443g-gwgp-49x4 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →

Affected versions

All versions before 4.5.0

Fixed versions

  • 4.5.0

Solution

Upgrade to version 4.5.0 or above.

Impact 3.7 LOW

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

Learn more about CVSS

Weakness

  • CWE-770: Allocation of Resources Without Limits or Throttling

Source file

cargo/zebrad/GHSA-443g-gwgp-49x4.yml

Spotted a mistake? Edit the file on GitLab.

  • Site Repo
  • About GitLab
  • Terms
  • Privacy Statement
  • Contact

Page generated Fri, 03 Jul 2026 12:18:30 +0000.