CVE-2026-44500

ZCV-64500: Allocation amplification in Zebra inbound deserializers affects Zebra nodes prior to 4.4.0 across zebrad, zebra-chain, and zebra-network. Inbound messages (headers, blocks, transactions) could be deserialized using generic transport or block-size ceilings, causing unauthenticated/post-...

CVE-2026-40881 Zebra: addr/addrv2 Deserialization Resource Exhaustion

ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.3.0 and zebra-network version 5.0.1, when deserializing addr or addrv2 messages, which contain vectors of addresses, Zebra would fully deserialize them up to a maximum length over 233,000 that was derived from the 2 MiB...