ZEBRA Zcash Node Allocation Amplification Vulnerability in Inbound Deserialization

A denial-of-service vulnerability has been identified in ZEBRA, a Zcash node implementation in Rust, affecting versions prior to zebrad 4.4.0, zebra-chain 7.0.0, and zebra-network 6.0.0. The vulnerability arises from several inbound deserialization paths that allocated buffers based on generic transport or block-size limits, before applying stricter protocol or consensus rules. This flaw allowed an unauthenticated or post-handshake peer to force the node to preallocate and parse significantly more data than intended, leading to increased memory usage and parsing costs. The issue is particularly pronounced when multiple peer connections are active, amplifying the impact.

Impact

Exploitation of this vulnerability causes an amplified allocation and parsing cost for inbound messages from peers, which can stack across concurrent connections, potentially leading to a denial-of-service condition on the affected ZEBRA node.

Reproduction

The vulnerability can be reproduced by opening an inbound TCP connection to a ZEBRA node (and completing the version handshake, if necessary). Then, send a 'headers' message with a count of up to approximately 1,409 entries, a 'block' whose header contains an inflated equihash solution length, a 'tx' message with a coinbase input declaring a large number of Sapling spends, or a 'block' with a coinbase input whose script length approaches the message-size ceiling. The deserializer will allocate memory based on the loose ceiling, process the data, and only then reject it, causing the amplification effect.

Remediation

Users are advised to upgrade to ZEBRA version 4.4.0 or later. There are no known workarounds for this vulnerability.