Zk-Nd3R

**Name of the Vulnerable Software and Affected Versions** zebrad versions prior to 4.4.0 zebra-chain versions prior to 7.0.0 zebra-network versions prior to 6.0.0 **Description** Several inbound deserialization paths in Zebra allocate buffers based on generic transport or block-size ceilings before tighter protocol or consensus limits are enforced. This allows an unauthenticated or post-handshake peer to force a node to preallocate and parse significantly more data than intended. This issue affects `headers` messages, equihash solutions in block headers, Sapling spend vectors in V5/V4 transactions, and coinbase script bytes in blocks. Specifically, the network codec uses `TrustedPreallocate` and generic `Vec` deserialization, leading to gaps where allocation occurs before the real limit is enforced in functions such as `read headers()`, `Solution::zcash deserialize`, and `Input::zcash deserialize()`. This can result in a Denial of Service by amplifying per-message memory and parse costs. **Recommendations** Update zebrad to version 4.4.0 or later. Update zebra-chain to version 7.0.0 or later. Update zebra-network to version 6.0.0 or later.

**Name of the Vulnerable Software and Affected Versions** zebrad versions prior to 4.3.0 zebra-network versions prior to 5.0.1 Zebra versions prior to 4.3.1 **Description** An issue exists during the deserialization of 'addr' or 'addrv2' messages containing vectors of addresses. The software would fully deserialize these messages up to a maximum length derived from the 2 MiB message size limit (over 233,000 entries), which significantly exceeds the specification limit of 1,000 messages. Because the memory for the larger vector was allocated before the limit check occurred, an attacker could trigger out-of-memory aborts by sending multiple such messages over different connections, leading to a denial of service. This occurs within the `read addr/addrv2` functions in `codec.rs` using the `zcash deserialize()` trait method, which relied on `T::max allocation()` for the upper bound. **Recommendations** Update zebrad to version 4.3.0 or later. Update zebra-network to version 5.0.1 or later. Update Zebra to version 4.3.1 or later.