CVE-2026-44500 - Zebra Vulnerable to Allocation Amplification in Inbound Network Deserializers
CVE-2026-44500 - Zebra Vulnerable to Allocation Amplification in Inbound Network Deserializers
GHSA-438q-jx8f-cccv MEDIUM rust/zebra-network
CVE: CVE-2026-44500
CVE-2026-44500: Allocation Amplification in Inbound Network Deserializers
Summary
Several inbound deserialization paths in Zebra allocated buffers sized against generic transport or block-size ceilings before the tighter protocol or consensus limits were enforced. An unauthenticated or post-handshake peer could therefore force the node to preallocate and parse for orders of magnitude more data than the protocol intended, across headers messages, equihash solutions in block headers, Sapling spend vectors in V5/V4 transactions, and coinbase script bytes in blocks.
Severity
Moderate - This is a Denial-of-Service Vulnerability that could allow a malicious peer to amplify per-message memory and parse cost on Zebra nodes, with effects amplified by multi-peer fan-in.
Each individual case is bounded by the 2 MiB transport ceiling or the block-size cap, so no single message causes unbounded allocation, but the cumulative gap between intended and actual limits is significant.
Affected Versions
All Zebra versions prior to 4.4.0.
Description
Zebra's network codec uses TrustedPreallocate and generic Vec deserialization to bound inbound message parsing. In several places the bound used at the deserializer was the generic transport or block-size ceiling rather than the tighter protocol or consensus rule that applies to the field, so allocation happened first and the real limit was only enforced afterwards. Four such cases were identified:
headersmessage receive cap.read_headers()deserialized theCountedHeadervector via the genericTrustedPreallocatepath, which allowed up to ~1,409 entries per message. The protocol ceilingMAX_FIND_BLOCK_HEADERS_RESULTS = 160was only used on the send side, giving an ~8.8x preallocation gap on receive. Reachable before the version handshake completes since the codec is installed on raw bytes.- Equihash solution length.
Solution::zcash_deserializedecoded the solution as a generic `Vec<u8
📌 来源: GitHub-Advisory | 🆔 CVE-2026-44500 | 📅 2026-05-07