GHSA-63WG-WJJJ-7CP8

Vulnerability from github – Published: 2026-07-02 20:26 – Updated: 2026-07-02 20:26
VLAI
Summary
Zebra Address Book Aborted by IPv4-Mapped Mempool Misbehavior Update
Details

Am I affected

You are affected if:

  1. You run zebrad up to and including v4.4.1.
  2. Your node listens on the default [::] address on a Linux host (the standard deployment configuration — net.ipv6.bindv6only=0 is the default on all common Linux distributions).
  3. Your node is synced near the chain tip (the expected production state for any node participating in the network).

Summary

An address normalization mismatch between the handshake path and the mempool misbehavior path causes a deterministic assertion panic when a peer connects via IPv4 to a dual-stack IPv6 listener and then triggers a mempool misbehavior penalty.

The handshake path canonicalizes IPv4-mapped IPv6 addresses to plain IPv4 when storing the peer in the address book via MetaAddr::new_connected. The mempool misbehavior path forwards the raw transient socket address (IPv4-mapped IPv6 form) when sending MetaAddrChange::UpdateMisbehavior to the address book. The address book looks up the canonical IPv4 entry but then asserts that the previous entry's address matches the change's address. The mismatch between the canonical IPv4 address and the raw IPv4-mapped IPv6 address triggers the assertion, and panic = "abort" terminates the process.

Details

On Linux with net.ipv6.bindv6only=0, an IPv4 connection accepted by a [::] listener is represented internally as an IPv4-mapped IPv6 socket address (e.g., ::ffff:127.0.0.1:8233). Zebra's canonical_peer_addr helper converts these to plain IPv4 (e.g., 127.0.0.1:8233).

The handshake path uses MetaAddr::new_connected, which canonicalizes the address before storing in the address book. However, inbound inventory registration uses connected_addr.get_transient_addr(), preserving the raw IPv4-mapped form. When the mempool later downloads an invalid transaction from this peer and generates a misbehavior penalty, the raw transient address is forwarded through the misbehavior channel to MetaAddrChange::UpdateMisbehavior, which does not canonicalize.

After the 30-second misbehavior batch flush, AddressBook::update retrieves the canonical IPv4 entry but MetaAddrChange::apply_to_meta_addr asserts that previous.addr == self.addr(), which fails because one is IPv4 and the other is IPv4-mapped IPv6.

The attacker needs only to complete a P2P handshake over IPv4 to a dual-stack listener and advertise an invalid mempool transaction (such as a coinbase transaction). The assertion fires after the 30-second misbehavior batch flush.

Patches

Patched in Zebra 4.5.0. The fix canonicalizes the address in the misbehavior update path via a new MetaAddr::new_misbehavior constructor that applies canonical_peer_addr before creating the UpdateMisbehavior change.

Workarounds

Configuring listen_addr to an IPv4-only address (e.g., 0.0.0.0:8233) avoids the IPv4-mapped IPv6 representation and prevents this specific assertion. Alternatively, setting net.ipv6.bindv6only=1 on Linux prevents dual-stack acceptance.

Impact

A remote unauthenticated peer can deterministically crash any synced Zebra node running the default Linux dual-stack configuration with a single invalid mempool transaction advertisement, followed by a 30-second wait. The attack requires no mining capability, no RPC access, no funds, and no special privileges. The crash can be repeated after each restart, causing persistent downtime. Linux dual-stack sockets and mempool activation are the default production state, not special preconditions.

Credit

Reported by @Haxatron.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 6.0.0"
      },
      "package": {
        "ecosystem": "crates.io",
        "name": "zebra-network"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "7.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.4.1"
      },
      "package": {
        "ecosystem": "crates.io",
        "name": "zebrad"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.5.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-52829"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-617",
      "CWE-843"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-07-02T20:26:56Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Am I affected\n\nYou are affected if:\n\n1. You run `zebrad` up to and including `v4.4.1`.\n2. Your node listens on the default `[::]` address on a Linux host (the standard deployment configuration \u2014 `net.ipv6.bindv6only=0` is the default on all common Linux distributions).\n3. Your node is synced near the chain tip (the expected production state for any node participating in the network).\n\n### Summary\n\nAn address normalization mismatch between the handshake path and the mempool misbehavior path causes a deterministic assertion panic when a peer connects via IPv4 to a dual-stack IPv6 listener and then triggers a mempool misbehavior penalty.\n\nThe handshake path canonicalizes IPv4-mapped IPv6 addresses to plain IPv4 when storing the peer in the address book via `MetaAddr::new_connected`. The mempool misbehavior path forwards the raw transient socket address (IPv4-mapped IPv6 form) when sending `MetaAddrChange::UpdateMisbehavior` to the address book. The address book looks up the canonical IPv4 entry but then asserts that the previous entry\u0027s address matches the change\u0027s address. The mismatch between the canonical IPv4 address and the raw IPv4-mapped IPv6 address triggers the assertion, and `panic = \"abort\"` terminates the process.\n\n### Details\n\nOn Linux with `net.ipv6.bindv6only=0`, an IPv4 connection accepted by a `[::]` listener is represented internally as an IPv4-mapped IPv6 socket address (e.g., `::ffff:127.0.0.1:8233`). Zebra\u0027s `canonical_peer_addr` helper converts these to plain IPv4 (e.g., `127.0.0.1:8233`).\n\nThe handshake path uses `MetaAddr::new_connected`, which canonicalizes the address before storing in the address book. However, inbound inventory registration uses `connected_addr.get_transient_addr()`, preserving the raw IPv4-mapped form. When the mempool later downloads an invalid transaction from this peer and generates a misbehavior penalty, the raw transient address is forwarded through the misbehavior channel to `MetaAddrChange::UpdateMisbehavior`, which does not canonicalize.\n\nAfter the 30-second misbehavior batch flush, `AddressBook::update` retrieves the canonical IPv4 entry but `MetaAddrChange::apply_to_meta_addr` asserts that `previous.addr == self.addr()`, which fails because one is IPv4 and the other is IPv4-mapped IPv6.\n\nThe attacker needs only to complete a P2P handshake over IPv4 to a dual-stack listener and advertise an invalid mempool transaction (such as a coinbase transaction). The assertion fires after the 30-second misbehavior batch flush.\n\n### Patches\n\nPatched in Zebra 4.5.0. The fix canonicalizes the address in the misbehavior update path via a new `MetaAddr::new_misbehavior` constructor that applies `canonical_peer_addr` before creating the `UpdateMisbehavior` change.\n\n### Workarounds\n\nConfiguring `listen_addr` to an IPv4-only address (e.g., `0.0.0.0:8233`) avoids the IPv4-mapped IPv6 representation and prevents this specific assertion. Alternatively, setting `net.ipv6.bindv6only=1` on Linux prevents dual-stack acceptance.\n\n### Impact\n\nA remote unauthenticated peer can deterministically crash any synced Zebra node running the default Linux dual-stack configuration with a single invalid mempool transaction advertisement, followed by a 30-second wait. The attack requires no mining capability, no RPC access, no funds, and no special privileges. The crash can be repeated after each restart, causing persistent downtime. Linux dual-stack sockets and mempool activation are the default production state, not special preconditions.\n\n### Credit\n\nReported by `@Haxatron`.",
  "id": "GHSA-63wg-wjjj-7cp8",
  "modified": "2026-07-02T20:26:56Z",
  "published": "2026-07-02T20:26:56Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-63wg-wjjj-7cp8"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ZcashFoundation/zebra"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Zebra Address Book Aborted by IPv4-Mapped Mempool Misbehavior Update"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…