GHSA-65jj-fmw8-468q: zebrad has unbounded memory leak in mempool download pipeline via timeout path cancel_handles retention
zebrad versions up to and including 4.4.1 have an unbounded memory leak in the mempool download pipeline. The leak occurs because transaction entries are retained indefinitely when verification times out, due to missing cleanup of timed-out entries. This causes memory usage to grow monotonically with no garbage collection, potentially leading to out-of-memory termination. The issue affects nodes accepting inbound P2P connections with active mempools. There is no configuration workaround; restarting the node clears the leak. The leak rate can reach approximately 685 KB/s per connection, requiring sustained traffic over hours to exhaust typical server memory. No consensus, fund loss, or on-disk corruption impact is reported.
AI Analysis
Technical Summary
The vulnerability in zebrad's mempool download pipeline arises from a bug where the cancel_handles map retains entries for transactions that time out during verification. Specifically, when a verification task times out (tokio::time::error::Elapsed), the transaction ID is lost because the error carries no payload, preventing removal of the corresponding entry. These entries include the full deserialized transaction (up to ~9 MB), accumulating without bound and causing memory exhaustion. The only cleanup occurs on mined transactions or node shutdown, neither of which addresses timed-out transactions. The fix involves preserving the transaction ID through the timeout error path and removing the entry upon timeout. No configuration workaround exists; only node restart clears the memory.
Potential Impact
This vulnerability leads to gradual, unbounded memory exhaustion on zebrad nodes accepting inbound P2P connections with active mempools. Memory usage grows monotonically as timed-out transactions accumulate in memory, potentially causing the operating system's out-of-memory killer to terminate the process or degrade node performance due to swap pressure. The leak rate is approximately 685 KB/s per connection in worst-case scenarios, requiring sustained attacker traffic over hours to exhaust typical server memory. There is no impact on consensus, no loss of funds, and no on-disk data corruption.
Mitigation Recommendations
A patch is available in zebrad versions 4.5.0 and later that fixes the memory leak by preserving the transaction ID on timeout and removing the corresponding entry. Operators should upgrade to version 4.5.0 or later to remediate this issue. There is no configuration-level workaround. Restarting the node clears accumulated entries but does not prevent recurrence. Operators in memory-constrained environments should consider upgrading promptly to avoid out-of-memory termination.
GHSA-65jj-fmw8-468q: zebrad has unbounded memory leak in mempool download pipeline via timeout path cancel_handles retention
Description
zebrad versions up to and including 4.4.1 have an unbounded memory leak in the mempool download pipeline. The leak occurs because transaction entries are retained indefinitely when verification times out, due to missing cleanup of timed-out entries. This causes memory usage to grow monotonically with no garbage collection, potentially leading to out-of-memory termination. The issue affects nodes accepting inbound P2P connections with active mempools. There is no configuration workaround; restarting the node clears the leak. The leak rate can reach approximately 685 KB/s per connection, requiring sustained traffic over hours to exhaust typical server memory. No consensus, fund loss, or on-disk corruption impact is reported.
CVSS v3.1
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in zebrad's mempool download pipeline arises from a bug where the cancel_handles map retains entries for transactions that time out during verification. Specifically, when a verification task times out (tokio::time::error::Elapsed), the transaction ID is lost because the error carries no payload, preventing removal of the corresponding entry. These entries include the full deserialized transaction (up to ~9 MB), accumulating without bound and causing memory exhaustion. The only cleanup occurs on mined transactions or node shutdown, neither of which addresses timed-out transactions. The fix involves preserving the transaction ID through the timeout error path and removing the entry upon timeout. No configuration workaround exists; only node restart clears the memory.
Potential Impact
This vulnerability leads to gradual, unbounded memory exhaustion on zebrad nodes accepting inbound P2P connections with active mempools. Memory usage grows monotonically as timed-out transactions accumulate in memory, potentially causing the operating system's out-of-memory killer to terminate the process or degrade node performance due to swap pressure. The leak rate is approximately 685 KB/s per connection in worst-case scenarios, requiring sustained attacker traffic over hours to exhaust typical server memory. There is no impact on consensus, no loss of funds, and no on-disk data corruption.
Mitigation Recommendations
A patch is available in zebrad versions 4.5.0 and later that fixes the memory leak by preserving the transaction ID on timeout and removing the corresponding entry. Operators should upgrade to version 4.5.0 or later to remediate this issue. There is no configuration-level workaround. Restarting the node clears accumulated entries but does not prevent recurrence. Operators in memory-constrained environments should consider upgrading promptly to avoid out-of-memory termination.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- GHSA-65jj-fmw8-468q
- Osv Schema Version
- 1.4.0
- Aliases
- ["CVE-2026-52734"]
- Ecosystems
- ["crates.io"]
- Database Specific Severity
- MODERATE
- Cvss Version
- 3.1
Threat ID: 6a46ecb527e9c7971943c8aa
Added to database: 07/02/2026, 22:56:53 UTC
Last enriched: 07/02/2026, 23:09:49 UTC
Last updated: 07/03/2026, 02:05:32 UTC
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.