CVE-2026-41585 Overview
CVE-2026-41585 is a denial of service vulnerability in Zebra, a Zcash node implementation written in Rust. The flaw exists in the JSON-RPC HTTP middleware of zebrad and zebra-rpc. An authenticated RPC client can crash a Zebra node by disconnecting before transmitting the full HTTP request body. The middleware treats this incomplete read as an unrecoverable error and aborts the process rather than returning a graceful error response.
The vulnerability affects zebrad versions 2.2.0 to before 4.3.1 and zebra-rpc versions 1.0.0-beta.45 to before 6.0.2. The Zcash Foundation has released patched versions that handle the read failure correctly.
Critical Impact
An authenticated RPC client can repeatedly crash a Zebra node by initiating and abandoning JSON-RPC requests, disrupting Zcash network participation and validator operations.
Affected Products
- zebrad versions 2.2.0 to before 4.3.1
- zebra-rpc versions 1.0.0-beta.45 to before 6.0.2
- Zcash Foundation Zebra node operators exposing JSON-RPC endpoints
Discovery Timeline
- 2026-05-08 - CVE-2026-41585 published to NVD
- 2026-05-08 - Last updated in NVD database
Technical Details for CVE-2026-41585
Vulnerability Analysis
The vulnerability stems from improper exception handling [CWE-248] in Zebra's JSON-RPC HTTP middleware. When a client establishes a connection and begins sending a request, the middleware attempts to read the complete HTTP request body before dispatching the call. If the client terminates the TCP connection prematurely, the body read returns an I/O error.
The middleware classifies this error as unrecoverable and propagates a panic, terminating the entire zebrad process. A correctly designed HTTP server would close the affected connection and return an error or simply discard the partial request. Instead, a single misbehaving client can halt the node.
The attack requires authenticated access to the RPC endpoint, which limits exposure to operators who have configured RPC credentials. However, in deployments where RPC access is shared across applications or services, any one of those clients can crash the node, intentionally or otherwise.
Root Cause
The HTTP middleware lacks error containment for incomplete request body reads. The code path that handles read_to_end or equivalent body buffering does not catch transport-level failures, allowing the error to propagate up to a fatal panic. The patches in zebrad 4.3.1 and zebra-rpc 6.0.2 convert the failure into a proper HTTP error response rather than terminating the process.
Attack Vector
The attacker opens an authenticated JSON-RPC connection to the Zebra node, sends partial HTTP headers and body data, then closes the socket before the server finishes reading. The middleware encounters the truncated body, raises the unhandled exception, and the zebrad process exits. Repeating this action keeps the node offline whenever it is restarted by an operator or supervisor.
No exploit code is publicly available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Refer to the GitHub Security Advisory GHSA-29x4-r6jv-ff4w for technical details.
Detection Methods for CVE-2026-41585
Indicators of Compromise
- Unexpected zebrad process termination with panic messages referencing HTTP body read failures
- Repeated short-lived TCP connections to the configured JSON-RPC port followed by abrupt RST or FIN packets
- Process supervisor logs showing frequent restarts of the zebrad service
- RPC client disconnect events correlated with node downtime
Detection Strategies
- Monitor zebrad stderr and journal logs for panic stack traces originating in the JSON-RPC HTTP middleware
- Track JSON-RPC connection metrics for an unusually high ratio of incomplete request bodies relative to completed requests
- Alert on zebrad process exits that are not initiated by operator action or scheduled maintenance
Monitoring Recommendations
- Enable systemd or container orchestrator restart counters and alert when restart rate exceeds normal baseline
- Capture network flow data for the RPC listener to identify clients producing partial requests
- Forward Zebra logs to a centralized analytics platform for correlation with authentication events
How to Mitigate CVE-2026-41585
Immediate Actions Required
- Upgrade zebrad to version 4.3.1 or later
- Upgrade zebra-rpc to version 6.0.2 or later
- Audit which clients hold valid RPC credentials and revoke any that are no longer required
- Bind the JSON-RPC listener to loopback or a trusted internal network rather than a public interface
Patch Information
The Zcash Foundation patched this issue in zebrad 4.3.1 and zebra-rpc 6.0.2. The fix converts the incomplete body read into a proper HTTP error response instead of terminating the process. Download the updated binaries or source from the official Zebra GitHub repository and review the Security Advisory GHSA-29x4-r6jv-ff4w for full release notes.
Workarounds
- Restrict access to the JSON-RPC port using host firewall rules or network ACLs until the patch is applied
- Place the RPC endpoint behind a reverse proxy that buffers full request bodies before forwarding to zebrad
- Configure a process supervisor with rapid automatic restart to minimize downtime if the node is crashed
# Configuration example
# Restrict zebrad RPC listener to loopback in zebrad.toml
[rpc]
listen_addr = "127.0.0.1:8232"
# Verify installed version after upgrade
zebrad --version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
