CVSS: 8.7EPSS: 0%CPEs: 1EXPL: 0CVE-2026-44499 – ZEBRA: Permanent Block Discovery Halt via Gossip Queue Saturation and Syncer Poisoning
https://notcve.org/view.php?id=CVE-2026-44499
08 May 2026 — ZEBRA is a Zcash node written entirely in Rust. Prior to version 4.4.0, a composite denial-of-service vulnerability in Zebra's block discovery pipeline allows an unauthenticated remote attacker to permanently halt all new block discovery on a targeted node. The attack exploits three independent weaknesses in the gossip, syncer, and download subsystems — all exercisable from a single TCP connection — to create a monotonically growing block deficit that never self-heals. This issue has been patched in version... • https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-h9hm-m2xj-4rq9 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 8.4EPSS: 0%CPEs: 2EXPL: 0CVE-2026-34377 – Zebra has a Consensus Failure due to Improper Verification of V5 Transactions
https://notcve.org/view.php?id=CVE-2026-34377
31 Mar 2026 — ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.3.0 and zebra-consensus version 5.0.1, a logic error in Zebra's transaction verification cache could allow a malicious miner to induce a consensus split. By matching a valid transaction's txid while providing invalid authorization data, a miner could cause vulnerable Zebra nodes to accept an invalid block, leading to a consensus split from the rest of the Zcash network. This would not allow invalid transactions to be accepted but coul... • https://github.com/ZcashFoundation/zebra/releases/tag/v4.3.0 • CWE-347: Improper Verification of Cryptographic Signature •
CVSS: 9.2EPSS: 0%CPEs: 2EXPL: 0CVE-2026-34202 – Zebra node crash — V5 transaction hash panic (P2P reachable)
https://notcve.org/view.php?id=CVE-2026-34202
31 Mar 2026 — ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.3.0 and zebra-chain version 6.0.1, a vulnerability in Zebra's transaction processing logic allows a remote, unauthenticated attacker to cause a Zebra node to panic (crash). This is triggered by sending a specially crafted V5 transaction that passes initial deserialization but fails during transaction ID calculation. This issue has been patched in zebrad version 4.3.0 and zebra-chain version 6.0.1. • https://github.com/ZcashFoundation/zebra/releases/tag/v4.3.0 • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine •
CVSS: 7.5EPSS: 8%CPEs: 11EXPL: 1CVE-2003-0795 – GNU Zebra 0.9x / Quagga 0.96 - Remote Denial of Service
https://notcve.org/view.php?id=CVE-2003-0795
18 Nov 2003 — The vty layer in Quagga before 0.96.4, and Zebra 0.93b and earlier, does not verify that sub-negotiation is taking place when processing the SE marker, which allows remote attackers to cause a denial of service (crash) via a malformed telnet command to the telnet CLI port, which may trigger a null dereference. La capa vty en Quagga anteriores a 0.96.4, y Zebra anteriores a 0.91, no verifica si se está llevando a cabo una sub-negociación cuando procesa el marcador SE, lo que permite a atacantes remotos causa... • https://www.exploit-db.com/exploits/23375 • CWE-20: Improper Input Validation •
CVSS: 5.5EPSS: 0%CPEs: 18EXPL: 0CVE-2003-0859
https://notcve.org/view.php?id=CVE-2003-0859
18 Nov 2003 — The getifaddrs function in GNU libc (glibc) 2.2.4 and earlier allows local users to cause a denial of service by sending spoofed messages as other users to the kernel netlink interface. La función getifaddres en GNU libc (glibc) 2.2.4 y anteriores permite a usuarios locales causar una denegación de servicio enviando mensajes suplantando a otros usuarios al interfaz del kernel netlink. • http://www.redhat.com/support/errata/RHSA-2003-325.html •