GHSA-H9HM-M2XJ-4RQ9
Vulnerability from github – Published: 2026-05-08 19:12 – Updated: 2026-05-08 19:12Summary
A composite denial-of-service vulnerability in Zebra's block discovery pipeline allows an unauthenticated remote attacker to permanently halt all new block discovery on a targeted node. The attack exploits three independent weaknesses in the gossip, syncer, and download subsystems — all exercisable from a single TCP connection — to create a monotonically growing block deficit that never self-heals.
Severity
Critical — This is a Denial of Service vulnerability that requires no authentication, no special privileges, and only a single peer connection. The halt is permanent: the node will never recover without operator intervention.
Affected Versions
All Zebra versions prior to 4.4.0.
Description
Zebra discovers new blocks through two complementary paths: a gossip path (peers announce blocks via inv messages, triggering individual block downloads) and a syncer path (Zebra periodically queries peers with FindBlocks/FindHeaders to discover chains of missing blocks). Both paths must function for normal operation.
The gossip path was vulnerable because there was no per-connection rate limit on inv messages. A single connection could send enough sequential inv messages with fake block hashes to fill the entire gossip download queue in under a millisecond. The FullQueue return value was silently ignored, so legitimate block announcements from honest peers were dropped with no warning.
The syncer backup path could be degraded by responding with empty inv to FindBlocks requests and with NotFound to block download requests. Both are valid protocol responses that carried zero misbehavior penalty. The attacker's connection was never banned and never disconnected, allowing the degradation to persist indefinitely.
Combining these two vectors, an attacker could suppress both block discovery paths simultaneously from a single connection, causing the node to fall permanently behind the chain tip.
Impact
Denial of Service
- Attack Vector: Network, unauthenticated. Requires only a single TCP peer connection.
- Effect: Permanent halt of block discovery. The targeted node falls behind the chain tip and never recovers without operator intervention.
- Scope: Any Zebra node reachable by the attacker over the peer-to-peer network.
Fixed Versions
This issue is fixed in Zebra 4.4.0.
The fix drops connections that send empty responses to FindBlocks and FindHeaders messages, preventing attackers from degrading the syncer path without consequence.
Mitigation
Users should upgrade to Zebra 4.4.0 or later immediately.
There are no known workarounds for this issue. Immediate upgrade is the only way to protect against this attack.
Credits
Zebra the researcher who reported this issue through the coordinated disclosure process.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "zebrad"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.4.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-44499"
],
"database_specific": {
"cwe_ids": [
"CWE-770"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-08T19:12:35Z",
"nvd_published_at": "2026-05-08T16:16:13Z",
"severity": "HIGH"
},
"details": "## Summary\n\nA composite denial-of-service vulnerability in Zebra\u0027s block discovery pipeline allows an unauthenticated remote attacker to permanently halt all new block discovery on a targeted node. The attack exploits three independent weaknesses in the gossip, syncer, and download subsystems \u2014 all exercisable from a single TCP connection \u2014 to create a monotonically growing block deficit that never self-heals.\n\n## Severity\n\n**Critical** \u2014 This is a Denial of Service vulnerability that requires no authentication, no special privileges, and only a single peer connection. The halt is permanent: the node will never recover without operator intervention.\n\n## Affected Versions\n\nAll Zebra versions prior to 4.4.0.\n\n## Description\n\nZebra discovers new blocks through two complementary paths: a gossip path (peers announce blocks via `inv` messages, triggering individual block downloads) and a syncer path (Zebra periodically queries peers with `FindBlocks`/`FindHeaders` to discover chains of missing blocks). Both paths must function for normal operation.\n\nThe gossip path was vulnerable because there was no per-connection rate limit on `inv` messages. A single connection could send enough sequential `inv` messages with fake block hashes to fill the entire gossip download queue in under a millisecond. The `FullQueue` return value was silently ignored, so legitimate block announcements from honest peers were dropped with no warning.\n\nThe syncer backup path could be degraded by responding with empty `inv` to `FindBlocks` requests and with `NotFound` to block download requests. Both are valid protocol responses that carried zero misbehavior penalty. The attacker\u0027s connection was never banned and never disconnected, allowing the degradation to persist indefinitely.\n\nCombining these two vectors, an attacker could suppress both block discovery paths simultaneously from a single connection, causing the node to fall permanently behind the chain tip.\n\n## Impact\n\n**Denial of Service**\n\n* **Attack Vector:** Network, unauthenticated. Requires only a single TCP peer connection.\n* **Effect:** Permanent halt of block discovery. The targeted node falls behind the chain tip and never recovers without operator intervention.\n* **Scope:** Any Zebra node reachable by the attacker over the peer-to-peer network.\n\n## Fixed Versions\n\nThis issue is fixed in Zebra 4.4.0.\n\nThe fix drops connections that send empty responses to `FindBlocks` and `FindHeaders` messages, preventing attackers from degrading the syncer path without consequence.\n\n## Mitigation\n\nUsers should upgrade to Zebra 4.4.0 or later immediately.\n\nThere are no known workarounds for this issue. Immediate upgrade is the only way to protect against this attack.\n\n## Credits\n\nZebra the researcher who reported this issue through the coordinated disclosure process.",
"id": "GHSA-h9hm-m2xj-4rq9",
"modified": "2026-05-08T19:12:35Z",
"published": "2026-05-08T19:12:35Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-h9hm-m2xj-4rq9"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44499"
},
{
"type": "PACKAGE",
"url": "https://github.com/ZcashFoundation/zebra"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Zebra has Permanent Block Discovery Halt via Gossip Queue Saturation and Syncer Poisoning"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.