Vulnerability DatabaseCVE-2026-44500
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2026-44500
Published:May 08, 2026
Updated:May 16, 2026
ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.4.0, prior to zebra-chain version 7.0.0, and prior to zebra-network version 6.0.0, several inbound deserialization paths in Zebra allocated buffers sized against generic transport or block-size ceilings before the tighter protocol or consensus limits were enforced. An unauthenticated or post-handshake peer could therefore force the node to preallocate and parse for orders of magnitude more data than the protocol intended, across headers messages, equihash solutions in block headers, Sapling spend vectors in V5/V4 transactions, and coinbase script bytes in blocks. This issue has been patched in zebrad version 4.4.0, zebra-chain version 7.0.0, and zebra-network version 6.0.0.
Affected Packages
zebrad (RUST):
Affected version(s) >=0.0.0-placeholder.0 <4.4.0
Fix Suggestion:
Update to version 4.4.0
zebra-chain (RUST):
Affected version(s) >=0.0.0-placeholder.0 <7.0.0
Fix Suggestion:
Update to version 7.0.0
zebra-network (RUST):
Affected version(s) >=0.0.0-placeholder.0 <6.0.0
Fix Suggestion:
Update to version 6.0.0
zebrad (RUST):
Affected version(s) >=0.0.0-placeholder.0 <4.4.0
Fix Suggestion:
Update to version 4.4.0
zebra-chain (RUST):
Affected version(s) >=0.0.0-placeholder.0 <7.0.0
Fix Suggestion:
Update to version 7.0.0
zebra-network (RUST):
Affected version(s) >=0.0.0-placeholder.0 <6.0.0
Fix Suggestion:
Update to version 6.0.0
Related Resources (4)
https://github.com/ZcashFoundation/zebra
https://nvd.nist.gov/vuln/detail/CVE-2026-44500
https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-438q-jx8f-cccv
https://github.com/ZcashFoundation/zebra/releases/tag/v4.4.0
Do you need more information?
Contact Us
CVSS v4
Base Score:
6.9
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
NONE
Vulnerable System Integrity
NONE
Vulnerable System Availability
LOW
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
5.3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
NONE
Integrity
NONE
Availability
LOW
Weakness Type (CWE)
Allocation of Resources Without Limits or Throttling
CWE-770
EPSS
Base Score:
0.06