CVE-2026-41585

Name of the Vulnerable Software and Affected Versions zebrad versions 2.2.0 through 4.3.0 zebra-rpc versions 1.0.0-beta.45 through 6.0.1

Description A flaw in the JSON-RPC HTTP middleware allows an authenticated RPC client to cause a node crash. The issue occurs when a client disconnects before the request body is fully received, such as by resetting the TCP connection mid-transfer. The node incorrectly treats the failure to read the HTTP request body as an unrecoverable error and aborts the process instead of returning an error response, resulting in a Denial of Service (DoS). This can be exploited by clients with valid RPC credentials or on nodes where cookie authentication is disabled and the RPC interface is exposed.

Recommendations Update zebrad to version 4.3.1. Update zebra-rpc to version 6.0.2. Ensure the RPC port is not exposed to untrusted networks and keep cookie authentication enabled.