ZEBRA: Denial of Service via Interrupted JSON-RPC Requests from Authenticated Clients

Summary

CVE	CVE-2026-41585
State	PUBLISHED
Assigner	GitHub_M
Source Priority	CVE Program / NVD first with legacy fallback
Published	2026-05-08 15:16:41 UTC
Updated	2026-05-08 18:19:56 UTC
Description	ZEBRA is a Zcash node written entirely in Rust. From zebrad versions 2.2.0 to before 4.3.1 and from zebra-rpc versions 1.0.0-beta.45 to before 6.0.2, a vulnerability in Zebra's JSON-RPC HTTP middleware allows an authenticated RPC client to cause a Zebra node to crash by disconnecting before the request body is fully received. The node treats the failure to read the HTTP request body as an unrecoverable error and aborts the process instead of returning an error response. This issue has been patched in zebrad version 4.3.1 and zebra-rpc version 6.0.2.

Risk And Classification

Primary CVSS: v4.0 6.9 MEDIUM from [email protected]

CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

EPSS: 0.000400000 probability, percentile 0.122340000 (date 2026-05-11)

Problem Types: CWE-248 | CWE-617 | CWE-248 CWE-248: Uncaught Exception | CWE-617 CWE-617: Reachable Assertion

Version	Source	Type	Score	Severity	Vector
4.0	[email protected]	Secondary	6.9	MEDIUM	`CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/C...`
4.0	CNA	DECLARED	6.9	MEDIUM	`CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H`
3.1	[email protected]	Primary	6.5	MEDIUM	`CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H`

CVSS v4.0 Breakdown

Attack Vector

Network

Attack Complexity

Low

Attack Requirements

Present

Privileges Required

High

User Interaction

None

Confidentiality

None

Integrity

None

Availability

High

Sub Conf.

None

Sub Integrity

None

Sub Availability

High

CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CVSS v3.1 Breakdown

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Zfnd	Zebra-rpc	All	All	All	All
Application	Zfnd	Zebra-rpc	1.0.0	-	All	All
Application	Zfnd	Zebra-rpc	1.0.0	beta45	All	All
Application	Zfnd	Zebra-rpc	1.0.0	beta46	All	All
Application	Zfnd	Zebrad	All	All	All	All

Vendor Declared Affected Products

Source	Vendor	Product	Version	Platforms
CNA	ZcashFoundation	Zebra	affected zebra-rpc >= 1.0.0-beta.45, < 6.0.2	Not specified
CNA	ZcashFoundation	Zebra	affected zebrad >= 2.2.0, < 4.3.1	Not specified

References

Reference	Source	Link	Tags
github.com/ZcashFoundation/zebra/security/advisories/GHSA-29x4-r6jv-ff4w	[email protected]	github.com	Vendor Advisory, Mitigation
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

There are currently no legacy QID mappings associated with this CVE.