<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Zebrad &lt;= 4.4.1 - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/zebrad--4.4.1/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 03 Jul 2026 11:34:34 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/zebrad--4.4.1/feed.xml" rel="self" type="application/rss+xml"/><item><title>Zebra Block Suppression Vulnerability (CVE-2026-52736) via P2P Body Poisoning</title><link>https://feed.craftedsignal.io/briefs/2026-07-zebra-block-suppression/</link><pubDate>Fri, 03 Jul 2026 11:34:34 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-zebra-block-suppression/</guid><description>A remote unauthenticated attacker can exploit CVE-2026-52736 in Zebra's `zebrad` node (versions up to and including `v4.4.1`) to permanently stall a targeted blockchain node by poisoning its sent-hash cache, leading to a denial of service.</description><content:encoded><![CDATA[<p>A high-severity vulnerability, CVE-2026-52736, affects Zebra's <code>zebrad</code> blockchain nodes, specifically versions up to <code>v4.4.1</code>, as well as <code>zebra-state</code> up to <code>v6.0.0</code>. This flaw allows a remote, unauthenticated attacker to conduct a denial-of-service attack against a target node by exploiting a caching issue in how <code>zebrad</code> handles block hashes. By leveraging coinbase scriptSig malleability (ZIP-244 <code>txid_v5</code>) to create a poisoned block body with the same header hash as a legitimate canonical block, an attacker can cause the node to cache the hash and then reject the actual valid block as a duplicate. This leads to the node permanently stalling at a specific block height, diverging from the network tip, and preventing downstream services like lightwalletd, wallets, and explorers from advancing. The attack requires winning a propagation race to deliver the poisoned block before honest peers deliver the canonical one, which a well-positioned attacker can reliably achieve.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker observes a new block header from any peer on the network.</li>
<li>Attacker constructs a poisoned block body that has an identical header hash to the observed block, achieved by mutating the coinbase <code>scriptSig</code> extra-data section.</li>
<li>Attacker advertises the hash of this specially crafted block to the target Zebra node via an <code>inv</code> (inventory) message over the P2P network.</li>
<li>The target Zebra node requests the advertised block via a <code>getdata</code> message, and the attacker serves the poisoned body.</li>
<li>Zebra adds the block hash to its <code>non_finalized_block_write_sent_hashes</code> cache before completing contextual validation of the block body.</li>
<li>The write task within Zebra subsequently rejects the poisoned body due to an <code>auth_data_root</code> mismatch (specifically, <code>block_commitment_is_valid_for_chain_history</code> fails), but the hash is not removed from the <code>non_finalized_block_write_sent_hashes</code> cache.</li>
<li>When the valid, canonical block later arrives from honest peers or an RPC connection, Zebra's <code>queue_and_commit_to_non_finalized_state</code> function sees the hash already in the cache and erroneously treats it as a duplicate, returning <code>KnownBlock::WriteChannel</code>.</li>
<li>The target Zebra node fails to advance past the affected block height (N-1), becoming permanently stalled until a manual restart (which clears the in-memory cache) or a rare chain reorg event occurs.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-52736 leads to a permanent denial of service for the targeted Zebra node, causing it to diverge from the main blockchain network. This renders the node unable to process new blocks, effectively stalling its operation. Downstream services and applications that rely on the affected node, such as lightwallets, block explorers, and potentially mining infrastructure, will experience service degradation or complete outages due to an inability to access up-to-date blockchain data. Recovery from this attack typically requires manual intervention, specifically restarting the <code>zebrad</code> process to clear the in-memory sent-hash cache, or waiting for an unlikely chain reorg at the stalled height. There is no information on specific victim counts or sectors, but any organization operating vulnerable Zebra nodes is at risk.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Immediately patch all <code>zebrad</code> nodes to version <code>v4.4.2</code> or later to remediate CVE-2026-52736, which includes a fix for removing stale entries from the sent-hash cache.</li>
<li>While not a complete solution for CVE-2026-52736, consider reducing the <code>network.peerset_initial_target_size</code> configuration to narrow the attack surface by limiting the number of inbound P2P connections.</li>
<li>Be prepared to restart <code>zebrad</code> nodes if they stall at a specific block height, as this is the primary recovery mechanism to clear the in-memory <code>non_finalized_block_write_sent_hashes</code> cache.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>blockchain</category><category>denial-of-service</category><category>network</category><category>vulnerability</category></item><item><title>Zebra Node Denial-of-Service via IPv4-Mapped Mempool Misbehavior Panic (CVE-2026-52829)</title><link>https://feed.craftedsignal.io/briefs/2026-07-zebra-mempool-panic/</link><pubDate>Fri, 03 Jul 2026 11:25:58 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-zebra-mempool-panic/</guid><description>A remote unauthenticated peer can exploit an address normalization mismatch in Zebra's address book when connecting via IPv4 to a dual-stack IPv6 listener on a Linux host, by then advertising an invalid mempool transaction, which triggers a deterministic assertion panic after a 30-second delay, causing the `zebrad` process to terminate, leading to persistent denial of service.</description><content:encoded><![CDATA[<p>A high-severity vulnerability, CVE-2026-52829, affects Zebra <code>zebrad</code> nodes up to version <code>4.4.1</code> and <code>zebra-network</code> up to <code>6.0.0</code>, potentially allowing a remote denial-of-service. An address normalization mismatch occurs when a peer connects via IPv4 to a dual-stack IPv6 listener (the default <code>[::]</code> address on Linux with <code>net.ipv6.bindv6only=0</code>), and subsequently triggers a mempool misbehavior penalty by advertising an invalid transaction. The <code>zebrad</code> software stores the peer's address in a canonical IPv4 form during the initial handshake, but later attempts to update its misbehavior status using the raw IPv4-mapped IPv6 address from the transient socket. This inconsistency leads to a deterministic assertion panic after a 30-second delay, terminating the <code>zebrad</code> process. This issue is critical for any <code>zebrad</code> node synchronized near the chain tip in a production environment as it enables persistent downtime.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An unauthenticated attacker initiates an IPv4 connection to a vulnerable <code>zebrad</code> node listening on a dual-stack IPv6 address (e.g., <code>[::]</code> on Linux with <code>net.ipv6.bindv6only=0</code>).</li>
<li>During the P2P handshake, the <code>zebrad</code> node's address book canonicalizes the IPv4-mapped IPv6 address (e.g., <code>::ffff:127.0.0.1</code>) to a plain IPv4 address (e.g., <code>127.0.0.1</code>) and stores it.</li>
<li>The attacker advertises an invalid mempool transaction, such as a coinbase transaction, which the <code>zebrad</code> node attempts to download.</li>
<li>The <code>zebrad</code> node identifies the transaction as invalid and queues a misbehavior penalty for the peer, forwarding the raw IPv4-mapped IPv6 transient socket address.</li>
<li>After a 30-second batch flush, the address book attempts to apply the misbehavior update to the stored peer entry.</li>
<li>An internal assertion (<code>previous.addr == self.addr()</code>) fails because the canonical IPv4 address originally stored does not match the raw IPv4-mapped IPv6 address received for the misbehavior update.</li>
<li>This mismatch triggers a <code>panic = &quot;abort&quot;</code>, causing the <code>zebrad</code> process to terminate, resulting in a denial-of-service.</li>
<li>The attacker can repeat this sequence after each node restart, leading to persistent downtime.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>This vulnerability allows any remote, unauthenticated peer to deterministically crash a synced Zebra node running in its default Linux dual-stack configuration. The attack requires no mining capability, RPC access, funds, or special privileges, making it highly accessible to adversaries. The <code>zebrad</code> process terminates abruptly, leading to service disruption. Since the attack can be repeated reliably after each restart, it poses a significant threat of persistent denial of service, impacting the availability and stability of the Zebra network. Nodes operating as part of critical infrastructure, such as those maintaining blockchain consensus, would face severe operational issues.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Patch CVE-2026-52829 by upgrading <code>zebrad</code> to version <code>4.5.0</code> or higher immediately.</li>
<li>As a temporary workaround, configure <code>zebrad</code>'s <code>listen_addr</code> to bind only to an IPv4-only address (e.g., <code>0.0.0.0:8233</code>) to prevent the use of IPv4-mapped IPv6 representations.</li>
<li>Alternatively, on Linux hosts, set the kernel parameter <code>net.ipv6.bindv6only=1</code> to disable dual-stack acceptance on IPv6 listeners, thus preventing the vulnerable condition described in CVE-2026-52829.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>denial-of-service</category><category>vulnerability</category><category>linux</category><category>rust</category></item></channel></rss>