GHSA-h9hm-m2xj-4rq9

Suggest an improvement
Source
https://github.com/advisories/GHSA-h9hm-m2xj-4rq9
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-h9hm-m2xj-4rq9/GHSA-h9hm-m2xj-4rq9.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-h9hm-m2xj-4rq9
Aliases
  • CVE-2026-44499
Published
2026-05-08T19:12:35Z
Modified
2026-05-08T19:33:48.529307Z
Severity
  • 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
Zebra has Permanent Block Discovery Halt via Gossip Queue Saturation and Syncer Poisoning
Details

Summary

A composite denial-of-service vulnerability in Zebra's block discovery pipeline allows an unauthenticated remote attacker to permanently halt all new block discovery on a targeted node. The attack exploits three independent weaknesses in the gossip, syncer, and download subsystems — all exercisable from a single TCP connection — to create a monotonically growing block deficit that never self-heals.

Severity

Critical — This is a Denial of Service vulnerability that requires no authentication, no special privileges, and only a single peer connection. The halt is permanent: the node will never recover without operator intervention.

Affected Versions

All Zebra versions prior to 4.4.0.

Description

Zebra discovers new blocks through two complementary paths: a gossip path (peers announce blocks via inv messages, triggering individual block downloads) and a syncer path (Zebra periodically queries peers with FindBlocks/FindHeaders to discover chains of missing blocks). Both paths must function for normal operation.

The gossip path was vulnerable because there was no per-connection rate limit on inv messages. A single connection could send enough sequential inv messages with fake block hashes to fill the entire gossip download queue in under a millisecond. The FullQueue return value was silently ignored, so legitimate block announcements from honest peers were dropped with no warning.

The syncer backup path could be degraded by responding with empty inv to FindBlocks requests and with NotFound to block download requests. Both are valid protocol responses that carried zero misbehavior penalty. The attacker's connection was never banned and never disconnected, allowing the degradation to persist indefinitely.

Combining these two vectors, an attacker could suppress both block discovery paths simultaneously from a single connection, causing the node to fall permanently behind the chain tip.

Impact

Denial of Service

  • Attack Vector: Network, unauthenticated. Requires only a single TCP peer connection.
  • Effect: Permanent halt of block discovery. The targeted node falls behind the chain tip and never recovers without operator intervention.
  • Scope: Any Zebra node reachable by the attacker over the peer-to-peer network.

Fixed Versions

This issue is fixed in Zebra 4.4.0.

The fix drops connections that send empty responses to FindBlocks and FindHeaders messages, preventing attackers from degrading the syncer path without consequence.

Mitigation

Users should upgrade to Zebra 4.4.0 or later immediately.

There are no known workarounds for this issue. Immediate upgrade is the only way to protect against this attack.

Credits

Zebra the researcher who reported this issue through the coordinated disclosure process.

Database specific 
{
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-08T19:12:35Z",
    "cwe_ids": [
        "CWE-770"
    ],
    "severity": "HIGH",
    "nvd_published_at": "2026-05-08T16:16:13Z"
}
References

Affected packages

crates.io / zebrad

Package

Name
zebrad
View open source insights on deps.dev
Purl
pkg:cargo/zebrad

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.4.0

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-h9hm-m2xj-4rq9/GHSA-h9hm-m2xj-4rq9.json"