{"vulnerability": "CVE-2026-44499", "sightings": [{"uuid": "173b3b7b-e3ff-47a8-a9ea-3c48a649edf1", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-44499", "type": "seen", "source": "https://gist.github.com/alon710/b2fb36b6ecfecf3424b0cb12c54264f5", "content": "# CVE-2026-44499: CVE-2026-44499: Permanent Block Discovery Halt in Zebra via Gossip Queue Saturation\n\n> **CVSS Score:** 8.7\n> **Published:** 2026-05-08\n> **Full Report:** https://cvereports.com/reports/CVE-2026-44499\n\n## Summary\nCVE-2026-44499 is a composite Denial of Service (DoS) vulnerability affecting Zebra, the Rust implementation of a Zcash full node. By exploiting architectural flaws in the peer-to-peer (P2P) communication stack, an unauthenticated attacker can saturate internal message queues and poison the chain discovery process, permanently isolating the target node from the network.\n\n## TL;DR\nUnauthenticated attackers can permanently halt block discovery in Zebra nodes prior to v4.4.0 by saturating the P2P gossip queue and providing unpenalized empty responses to synchronization requests.\n\n## Technical Details\n\n- **CVSS Score**: 8.7\n- **CWE ID**: CWE-770\n- **Attack Vector**: Network\n- **Exploit Status**: None\n- **KEV Status**: Not Listed\n- **Authentication**: None Required\n\n## Affected Systems\n\n- Zebra < 4.4.0\n- **Zebra**: < 4.4.0 (Fixed in: `4.4.0`)\n\n## Mitigation\n\n- Upgrade to Zebra version 4.4.0 or later.\n- Implement network-level rate limiting for inbound P2P connections.\n- Monitor node synchronization metrics for abrupt halts in block height progression.\n\n**Remediation Steps:**\n1. Stop the affected Zebra service gracefully.\n2. Update the Zebra binary to version 4.4.0 via your package manager or by compiling from the official repository.\n3. Restart the Zebra service and monitor the logs to verify successful synchronization with the network.\n\n## References\n\n- [GitHub Security Advisory: GHSA-h9hm-m2xj-4rq9](https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-h9hm-m2xj-4rq9)\n- [CVE.org Record for CVE-2026-44499](https://www.cve.org/CVERecord?id=CVE-2026-44499)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-44499) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-05-08T20:10:29.000000Z"}, {"uuid": "870d97b2-aac9-4e96-a38b-05526fc9fe59", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-44499", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mleeu5cpdq2v", "content": "CVE-2026-44499 - ZEBRA: Permanent Block Discovery Halt via Gossip Queue Saturation and Syncer Poisoning\nCVE ID : CVE-2026-44499\n \n Published : May 8, 2026, 4:16 p.m. | 2\u00a0hours, 4\u00a0minutes ago\n \n Description : ZEBRA is a Zcash node written entirely in Rust. Prior to version 4.4....", "creation_timestamp": "2026-05-08T18:38:33.638031Z"}]}