Incomplete Cleanup Affecting zebra-state package, versions <7.0.0


Severity

Recommended
0.0
high
0
10

CVSS assessment by Snyk's Security Team. Learn more

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-RUST-ZEBRASTATE-17808048
  • published3 Jul 2026
  • disclosed2 Jul 2026
  • creditUnknown

Introduced: 2 Jul 2026

NewCVE-2026-52736  (opens in a new tab)
CWE-459  (opens in a new tab)

How to fix?

Upgrade zebra-state to version 7.0.0 or higher.

Overview

Affected versions of this package are vulnerable to Incomplete Cleanup through the non_finalized_block_write_sent_hashes process. An attacker can cause a node to become permanently stalled at a specific block height by delivering a poisoned block body with a duplicate header hash before the valid canonical block arrives. This prevents the node from advancing, causing it to diverge from the network tip and impacting downstream consumers. This is only exploitable if the node accepts inbound P2P connections and processes blocks past the checkpoint height, which are default configurations.

Workaround

This vulnerability can be mitigated by reducing the node's inbound peer count to narrow the attack surface or by restarting the node to clear the in-memory cache.

CVSS Base Scores

version 4.0
version 3.1