{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/zebra-network--6.0.0/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["zebrad \u003c= 4.4.1","zebra-network \u003c= 6.0.0"],"_cs_severities":["medium"],"_cs_tags":["denial-of-service","vulnerability","linux","rust"],"_cs_type":"advisory","_cs_vendors":["Zebra"],"content_html":"\u003cp\u003eA high-severity vulnerability, CVE-2026-52829, affects Zebra \u003ccode\u003ezebrad\u003c/code\u003e nodes up to version \u003ccode\u003e4.4.1\u003c/code\u003e and \u003ccode\u003ezebra-network\u003c/code\u003e up to \u003ccode\u003e6.0.0\u003c/code\u003e, potentially allowing a remote denial-of-service. An address normalization mismatch occurs when a peer connects via IPv4 to a dual-stack IPv6 listener (the default \u003ccode\u003e[::]\u003c/code\u003e address on Linux with \u003ccode\u003enet.ipv6.bindv6only=0\u003c/code\u003e), and subsequently triggers a mempool misbehavior penalty by advertising an invalid transaction. The \u003ccode\u003ezebrad\u003c/code\u003e software stores the peer's address in a canonical IPv4 form during the initial handshake, but later attempts to update its misbehavior status using the raw IPv4-mapped IPv6 address from the transient socket. This inconsistency leads to a deterministic assertion panic after a 30-second delay, terminating the \u003ccode\u003ezebrad\u003c/code\u003e process. This issue is critical for any \u003ccode\u003ezebrad\u003c/code\u003e node synchronized near the chain tip in a production environment as it enables persistent downtime.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker initiates an IPv4 connection to a vulnerable \u003ccode\u003ezebrad\u003c/code\u003e node listening on a dual-stack IPv6 address (e.g., \u003ccode\u003e[::]\u003c/code\u003e on Linux with \u003ccode\u003enet.ipv6.bindv6only=0\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eDuring the P2P handshake, the \u003ccode\u003ezebrad\u003c/code\u003e node's address book canonicalizes the IPv4-mapped IPv6 address (e.g., \u003ccode\u003e::ffff:127.0.0.1\u003c/code\u003e) to a plain IPv4 address (e.g., \u003ccode\u003e127.0.0.1\u003c/code\u003e) and stores it.\u003c/li\u003e\n\u003cli\u003eThe attacker advertises an invalid mempool transaction, such as a coinbase transaction, which the \u003ccode\u003ezebrad\u003c/code\u003e node attempts to download.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ezebrad\u003c/code\u003e node identifies the transaction as invalid and queues a misbehavior penalty for the peer, forwarding the raw IPv4-mapped IPv6 transient socket address.\u003c/li\u003e\n\u003cli\u003eAfter a 30-second batch flush, the address book attempts to apply the misbehavior update to the stored peer entry.\u003c/li\u003e\n\u003cli\u003eAn internal assertion (\u003ccode\u003eprevious.addr == self.addr()\u003c/code\u003e) fails because the canonical IPv4 address originally stored does not match the raw IPv4-mapped IPv6 address received for the misbehavior update.\u003c/li\u003e\n\u003cli\u003eThis mismatch triggers a \u003ccode\u003epanic = \u0026quot;abort\u0026quot;\u003c/code\u003e, causing the \u003ccode\u003ezebrad\u003c/code\u003e process to terminate, resulting in a denial-of-service.\u003c/li\u003e\n\u003cli\u003eThe attacker can repeat this sequence after each node restart, leading to persistent downtime.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability allows any remote, unauthenticated peer to deterministically crash a synced Zebra node running in its default Linux dual-stack configuration. The attack requires no mining capability, RPC access, funds, or special privileges, making it highly accessible to adversaries. The \u003ccode\u003ezebrad\u003c/code\u003e process terminates abruptly, leading to service disruption. Since the attack can be repeated reliably after each restart, it poses a significant threat of persistent denial of service, impacting the availability and stability of the Zebra network. Nodes operating as part of critical infrastructure, such as those maintaining blockchain consensus, would face severe operational issues.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-52829 by upgrading \u003ccode\u003ezebrad\u003c/code\u003e to version \u003ccode\u003e4.5.0\u003c/code\u003e or higher immediately.\u003c/li\u003e\n\u003cli\u003eAs a temporary workaround, configure \u003ccode\u003ezebrad\u003c/code\u003e's \u003ccode\u003elisten_addr\u003c/code\u003e to bind only to an IPv4-only address (e.g., \u003ccode\u003e0.0.0.0:8233\u003c/code\u003e) to prevent the use of IPv4-mapped IPv6 representations.\u003c/li\u003e\n\u003cli\u003eAlternatively, on Linux hosts, set the kernel parameter \u003ccode\u003enet.ipv6.bindv6only=1\u003c/code\u003e to disable dual-stack acceptance on IPv6 listeners, thus preventing the vulnerable condition described in CVE-2026-52829.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T11:25:58Z","date_published":"2026-07-03T11:25:58Z","id":"https://feed.craftedsignal.io/briefs/2026-07-zebra-mempool-panic/","summary":"A remote unauthenticated peer can exploit an address normalization mismatch in Zebra's address book when connecting via IPv4 to a dual-stack IPv6 listener on a Linux host, by then advertising an invalid mempool transaction, which triggers a deterministic assertion panic after a 30-second delay, causing the `zebrad` process to terminate, leading to persistent denial of service.","title":"Zebra Node Denial-of-Service via IPv4-Mapped Mempool Misbehavior Panic (CVE-2026-52829)","url":"https://feed.craftedsignal.io/briefs/2026-07-zebra-mempool-panic/"}],"language":"en","title":"CraftedSignal Threat Feed - Zebra-Network \u003c= 6.0.0","version":"https://jsonfeed.org/version/1.1"}