Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

GHSA-65jj-fmw8-468q: zebrad has unbounded memory leak in mempool download pipeline via timeout path cancel_handles retention

0
Medium
Published: 07/02/2026 (07/02/2026, 20:12:35 UTC)
Source: GCVE Database
Product: zebrad

Description

zebrad versions up to and including 4.4.1 have an unbounded memory leak in the mempool download pipeline. The leak occurs because transaction entries are retained indefinitely when verification times out, due to missing cleanup of timed-out entries. This causes memory usage to grow monotonically with no garbage collection, potentially leading to out-of-memory termination. The issue affects nodes accepting inbound P2P connections with active mempools. There is no configuration workaround; restarting the node clears the leak. The leak rate can reach approximately 685 KB/s per connection, requiring sustained traffic over hours to exhaust typical server memory. No consensus, fund loss, or on-disk corruption impact is reported.

CVSS v3.1

Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Affected software

crates.ioghsa
zebrad
Affected versions
<4.5.0

Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/02/2026, 23:09:49 UTC

Technical Analysis

The vulnerability in zebrad's mempool download pipeline arises from a bug where the cancel_handles map retains entries for transactions that time out during verification. Specifically, when a verification task times out (tokio::time::error::Elapsed), the transaction ID is lost because the error carries no payload, preventing removal of the corresponding entry. These entries include the full deserialized transaction (up to ~9 MB), accumulating without bound and causing memory exhaustion. The only cleanup occurs on mined transactions or node shutdown, neither of which addresses timed-out transactions. The fix involves preserving the transaction ID through the timeout error path and removing the entry upon timeout. No configuration workaround exists; only node restart clears the memory.

Potential Impact

This vulnerability leads to gradual, unbounded memory exhaustion on zebrad nodes accepting inbound P2P connections with active mempools. Memory usage grows monotonically as timed-out transactions accumulate in memory, potentially causing the operating system's out-of-memory killer to terminate the process or degrade node performance due to swap pressure. The leak rate is approximately 685 KB/s per connection in worst-case scenarios, requiring sustained attacker traffic over hours to exhaust typical server memory. There is no impact on consensus, no loss of funds, and no on-disk data corruption.

Mitigation Recommendations

A patch is available in zebrad versions 4.5.0 and later that fixes the memory leak by preserving the transaction ID on timeout and removing the corresponding entry. Operators should upgrade to version 4.5.0 or later to remediate this issue. There is no configuration-level workaround. Restarting the node clears accumulated entries but does not prevent recurrence. Operators in memory-constrained environments should consider upgrading promptly to avoid out-of-memory termination.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Gcve Source
db.gcve.eu
Osv Id
GHSA-65jj-fmw8-468q
Osv Schema Version
1.4.0
Aliases
["CVE-2026-52734"]
Ecosystems
["crates.io"]
Database Specific Severity
MODERATE
Cvss Version
3.1

Threat ID: 6a46ecb527e9c7971943c8aa

Added to database: 07/02/2026, 22:56:53 UTC

Last enriched: 07/02/2026, 23:09:49 UTC

Last updated: 07/03/2026, 02:05:32 UTC

Views: 3

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses