Zebra Block Discovery Denial-of-Service via Gossip Queue Saturation and Syncer Poisoning

A composite denial-of-service vulnerability in Zebra’s block discovery pipeline allows an unauthenticated remote attacker to permanently halt all new block discovery on a targeted node. This vulnerability, present in Zebra versions prior to 4.4.0, exploits three weaknesses in the gossip, syncer, and download subsystems. The attack is initiated from a single TCP connection, creating a monotonically growing block deficit that never self-heals. This vulnerability allows an attacker to suppress both block discovery paths simultaneously, causing the node to fall permanently behind the chain tip. The discovery of this vulnerability was reported through a coordinated disclosure process by Zebra the researcher.

Attack Chain

1. Attacker establishes a TCP connection to the targeted Zebra node.
2. Attacker floods the node with a high volume of inv messages containing fake block hashes.
3. The gossip download queue on the target node becomes saturated due to the lack of per-connection rate limits on inv messages.
4. Legitimate block announcements from honest peers are dropped without warning, preventing normal block discovery via gossip.
5. Attacker sends FindBlocks requests to the target node, attempting to trigger the syncer path.
6. Attacker responds to FindBlocks requests with empty inv messages, degrading the syncer path.
7. When the target node attempts to download blocks, the attacker responds with NotFound messages.
8. The target node permanently falls behind the chain tip, requiring operator intervention to recover due to the suppression of both block discovery paths.

Impact

Successful exploitation of this vulnerability results in a permanent denial-of-service condition. The targeted Zebra node falls behind the chain tip and ceases to discover new blocks, effectively halting its participation in the network. The attack is unauthenticated and requires only a single TCP connection, making it easy to execute. Any Zebra node reachable over the peer-to-peer network is potentially vulnerable. Recovery requires manual intervention by the node operator.

Recommendation

• Upgrade to Zebra version 4.4.0 or later to patch CVE-2026-44499, as the fix drops connections that send empty responses to FindBlocks and FindHeaders messages.
• Deploy the Sigma rule “Detect Zebra Syncer Path Degradation” to identify suspicious connections sending empty responses to FindBlocks and FindHeaders messages.
• Monitor network connections for excessive inv message traffic from single peers to detect potential gossip queue saturation attacks.
• Review firewall logs for unusual connection patterns targeting Zebra nodes, indicative of potential reconnaissance or exploitation attempts.