CVE-2026-40881
Published: 21 April 2026
Summary
CVE-2026-40881 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Zfnd Zebra-Network. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 17.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 requires validation of information inputs like addr and addrv2 messages to ensure they conform to protocol specifications before memory allocation, directly preventing oversized vector deserialization.
SC-5 mandates denial-of-service protections, including measures against resource exhaustion attacks via oversized network messages sent to the Zebra node.
SI-2 ensures timely flaw remediation by requiring upgrades to patched versions of zebrad and zebra-network that fix the memory allocation vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables remote memory exhaustion DoS by sending oversized addr/addrv2 messages that trigger excessive allocation before validation, directly mapping to T1499.004 Application or System Exploitation.
NVD Description
ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.3.0 and zebra-network version 5.0.1, when deserializing addr or addrv2 messages, which contain vectors of addresses, Zebra would fully deserialize them up to a maximum length (over…
more
233,000) that was derived from the 2 MiB message size limit. This is much larger than the actual limit of 1,000 messages from the specification. Zebra would eventually check that limit but, at that point, the memory for the larger vector was already allocated. An attacker could cause out-of-memory aborts in Zebra by sending multiple such messages over different connections. This vulnerability is fixed in zebrad version 4.3.0 and zebra-network version 5.0.1.
Deeper analysisAI
CVE-2026-40881 is a denial-of-service vulnerability (CWE-770: Allocation of Resources Without Limits or Throttling) affecting Zebra, a Zcash node implementation written in Rust. In versions of zebrad prior to 4.3.0 and zebra-network prior to 5.0.1, the deserialization of addr or addrv2 messages—vectors of network addresses—allocates memory for up to over 233,000 entries based on a 2 MiB message size limit, far exceeding the protocol specification's limit of 1,000 addresses. Although Zebra eventually validates the specification limit, the oversized allocation occurs first, enabling memory exhaustion.
The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high severity due to its network accessibility and low complexity. Any unauthenticated remote attacker can exploit it by sending multiple oversized addr or addrv2 messages across different connections to a vulnerable Zebra node, triggering out-of-memory aborts and disrupting node availability.
The Zcash Foundation's security advisory (GHSA-xr93-pcq3-pxf8) confirms the issue and states that it is fixed in zebrad version 4.3.0 and zebra-network version 5.0.1, recommending immediate upgrades to these versions for mitigation.
Details
- CWE(s)