{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40881", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-15T15:57:41.719Z", "datePublished": "2026-04-21T19:20:53.416Z", "dateUpdated": "2026-04-21T20:36:18.824Z"}, "containers": {"cna": {"title": "Zebra: addr/addrv2 Deserialization Resource Exhaustion", "problemTypes": [{"descriptions": [{"cweId": "CWE-770", "lang": "en", "description": "CWE-770: Allocation of Resources Without Limits or Throttling", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L", "version": "4.0"}}], "references": [{"name": "https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-xr93-pcq3-pxf8", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-xr93-pcq3-pxf8"}], "affected": [{"vendor": "ZcashFoundation", "product": "zebrad", "versions": [{"version": "< 4.3.1", "status": "affected"}]}, {"vendor": "ZcashFoundation", "product": "zebra-network", "versions": [{"version": "< 5.0.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T19:20:53.416Z"}, "descriptions": [{"lang": "en", "value": "ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.3.0 and zebra-network version 5.0.1, when deserializing addr or addrv2 messages, which contain vectors of addresses, Zebra would fully deserialize them up to a maximum length (over 233,000) that was derived from the 2 MiB message size limit. This is much larger than the actual limit of 1,000 messages from the specification. Zebra would eventually check that limit but, at that point, the memory for the larger vector was already allocated. An attacker could cause out-of-memory aborts in Zebra by sending multiple such messages over different connections. This vulnerability is fixed in zebrad version 4.3.0 and zebra-network version 5.0.1."}], "source": {"advisory": "GHSA-xr93-pcq3-pxf8", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-xr93-pcq3-pxf8", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-21T19:51:52.666584Z", "id": "CVE-2026-40881", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T20:36:18.824Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40881", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-21T19:51:52.666584Z"}}}], "references": [{"url": "https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-xr93-pcq3-pxf8", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T19:52:03.611Z"}}], "cna": {"title": "Zebra: addr/addrv2 Deserialization Resource Exhaustion", "source": {"advisory": "GHSA-xr93-pcq3-pxf8", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "ZcashFoundation", "product": "zebrad", "versions": [{"status": "affected", "version": "< 4.3.1"}]}, {"vendor": "ZcashFoundation", "product": "zebra-network", "versions": [{"status": "affected", "version": "< 5.0.1"}]}], "references": [{"url": "https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-xr93-pcq3-pxf8", "name": "https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-xr93-pcq3-pxf8", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.3.0 and zebra-network version 5.0.1, when deserializing addr or addrv2 messages, which contain vectors of addresses, Zebra would fully deserialize them up to a maximum length (over 233,000) that was derived from the 2 MiB message size limit. This is much larger than the actual limit of 1,000 messages from the specification. Zebra would eventually check that limit but, at that point, the memory for the larger vector was already allocated. An attacker could cause out-of-memory aborts in Zebra by sending multiple such messages over different connections. This vulnerability is fixed in zebrad version 4.3.0 and zebra-network version 5.0.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-770", "description": "CWE-770: Allocation of Resources Without Limits or Throttling"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T19:20:53.416Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40881", "state": "PUBLISHED", "dateUpdated": "2026-04-21T20:36:18.824Z", "dateReserved": "2026-04-15T15:57:41.719Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-21T19:20:53.416Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:zfnd:zebra-network:*:*:*:*:*:rust:*:*", "matchCriteriaId": "1A075964-2131-40A5-AF5E-436DAA8F508C", "versionEndExcluding": "5.0.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:zfnd:zebrad:*:*:*:*:*:rust:*:*", "matchCriteriaId": "0D5F3C05-ECFC-43B1-9168-8E114125F6B7", "versionEndExcluding": "4.3.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.3.0 and zebra-network version 5.0.1, when deserializing addr or addrv2 messages, which contain vectors of addresses, Zebra would fully deserialize them up to a maximum length (over 233,000) that was derived from the 2 MiB message size limit. This is much larger than the actual limit of 1,000 messages from the specification. Zebra would eventually check that limit but, at that point, the memory for the larger vector was already allocated. An attacker could cause out-of-memory aborts in Zebra by sending multiple such messages over different connections. This vulnerability is fixed in zebrad version 4.3.0 and zebra-network version 5.0.1."}], "id": "CVE-2026-40881", "lastModified": "2026-04-27T18:24:28.407", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-21T20:17:01.850", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-xr93-pcq3-pxf8"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Vendor Advisory"], "url": "https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-xr93-pcq3-pxf8"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,5.0.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "zebra-network", "source": "cna", "vendor": "ZcashFoundation"}, "product": "zebra-network", "vendor": "zcashfoundation"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.3.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "zebrad", "source": "cna", "vendor": "ZcashFoundation"}, "product": "zebrad", "vendor": "zcashfoundation"}], "analysis": {"en": {"generated_at": "2026-04-22T05:30:02.121351+00:00", "value": {"mitigation_remediation": ["Upgrade zebrad to version 4.3.0 or later and zebra\u2011network to version 5.0.1 or later; this removes the ability to allocate oversized address vectors.", "Restart the zebrad and zebra\u2011network services after upgrading to ensure the new code is loaded.", "Configure network-level rate limiting or firewall rules to restrict the number of addr/addrv2 messages accepted from untrusted peers, reducing the chance of memory exhaustion even if an older version is still running for legacy reasons."], "summary": {"action": "Patch Now", "impact": "Denial of Service through out-of-memory exhaustion"}, "threat_synthesis": {"affected_systems": "The problem exists in zebrad releases prior to v4.3.0 and in zebra\u2011network releases before v5.0.1. Any node running those legacy versions and accepting external addr/addrv2 messages is at risk. Versions v4.3.0 of zebrad and v5.0.1 of zebra\u2011network contain the fix.", "description_and_impact": "Zcash Foundation\u2019s Zebra node implementation contains a resource exhaustion vulnerability: while deserializing addr and addrv2 P2P messages Zebra allocates a vector capacity based on a 2\u202fMiB message limit, allowing more than 233,000 addresses even though the protocol caps the list at 1,000. This memory is committed before the upper bound is enforced, so an attacker who sends many such messages over multiple connections can exhaust the node\u2019s heap and trigger an out\u2011of\u2011memory abort, causing a denial of service. The flaw is a classic CWE\u2011770 scenario.", "risk_and_exploitability": "The CVSS score of 6.3 places the vulnerability in the high severity range. The EPSS score is not available and the issue is not listed in CISA\u2019s KEV catalog, implying that known exploitation activity is either low or not documented. Nevertheless, the flaw can be triggered remotely over untrusted network connections with no authentication, making it potentially exploitable by anyone who can reach the node. Attacking such a node would involve sending large addr/addrv2 messages on multiple connections to drain memory, and the lack of built\u2011in mitigation in affected releases keeps the risk significant until the patch is applied."}}}}, "created": "2026-04-22T05:30:09.561340+00:00", "updated": "2026-04-22T11:45:44.085809+00:00", "vendors": ["zcashfoundation", "zcashfoundation$PRODUCT$zebra-network", "zcashfoundation$PRODUCT$zebrad"]}