CVE-2026-40881

Name of the Vulnerable Software and Affected Versions zebrad versions prior to 4.3.0 zebra-network versions prior to 5.0.1 Zebra versions prior to 4.3.1

Description An issue exists during the deserialization of 'addr' or 'addrv2' messages containing vectors of addresses. The software would fully deserialize these messages up to a maximum length derived from the 2 MiB message size limit (over 233,000 entries), which significantly exceeds the specification limit of 1,000 messages. Because the memory for the larger vector was allocated before the limit check occurred, an attacker could trigger out-of-memory aborts by sending multiple such messages over different connections, leading to a denial of service. This occurs within the read addr/addrv2 functions in codec.rs using the zcash deserialize() trait method, which relied on T::max allocation() for the upper bound.

Recommendations Update zebrad to version 4.3.0 or later. Update zebra-network to version 5.0.1 or later. Update Zebra to version 4.3.1 or later.