CVE-2026-41585

Source
https://cve.org/CVERecord?id=CVE-2026-41585
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-41585.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-41585
Aliases
Published
2026-05-08T15:06:15.309Z
Modified
2026-07-15T01:49:18.396066411Z
Severity
  • 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H CVSS Calculator
Summary
ZEBRA: Denial of Service via Interrupted JSON-RPC Requests from Authenticated Clients
Details

ZEBRA is a Zcash node written entirely in Rust. From zebrad versions 2.2.0 to before 4.3.1 and from zebra-rpc versions 1.0.0-beta.45 to before 6.0.2, a vulnerability in Zebra's JSON-RPC HTTP middleware allows an authenticated RPC client to cause a Zebra node to crash by disconnecting before the request body is fully received. The node treats the failure to read the HTTP request body as an unrecoverable error and aborts the process instead of returning an error response. This issue has been patched in zebrad version 4.3.1 and zebra-rpc version 6.0.2.

Database specific
{
    "cwe_ids": [
        "CWE-248",
        "CWE-617"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/41xxx/CVE-2026-41585.json",
    "cna_assigner": "GitHub_M",
    "unresolved_ranges": [
        {
            "extracted_events": [
                {
                    "introduced": "zebra-rpc >= 1.0.0-beta.45, < 6.0.2"
                },
                {
                    "last_affected": "zebra-rpc >= 1.0.0-beta.45, < 6.0.2"
                },
                {
                    "introduced": "zebrad >= 2.2.0, < 4.3.1"
                },
                {
                    "last_affected": "zebrad >= 2.2.0, < 4.3.1"
                }
            ],
            "source": "AFFECTED_FIELD"
        },
        {
            "extracted_events": [
                {
                    "fixed": "6.0.2"
                }
            ],
            "source": "DESCRIPTION"
        }
    ]
}
References

Affected packages

Git / github.com/zcashfoundation/zebra

Affected ranges

Type
GIT
Repo
https://github.com/zcashfoundation/zebra
Events
Database specific
{
    "cpe": "cpe:2.3:a:zfnd:zebra-rpc:1.0.0:-:*:*:*:rust:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "4.3.1"
        },
        {
            "introduced": "1.0.0-NA"
        },
        {
            "last_affected": "1.0.0-NA"
        }
    ],
    "source": [
        "DESCRIPTION",
        "CPE_STRING"
    ]
}

Affected versions

1.*
1.0.0-NA
v1.*
v1.0.0
v1.0.1
v1.1.0
v1.2.0
v1.3.0
v1.4.0
v1.5.0
v1.5.1
v1.5.2
v1.6.0
v1.6.1
v1.7.0
v1.8.0
v1.9.0
v2.*
v2.0.0
v2.0.0-rc.0
v2.0.1
v2.1.0
v2.2.0
v2.3.0
v2.4.0
v2.4.2
v2.5.0
v3.*
v3.0.0
v3.0.0-rc.0
v3.1.0
v4.*
v4.0.0
v4.1.0
v4.2.0
v4.3.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-41585.json"