CVE-2026-52731

MEDIUMPre-NVD 6.56.5
EchelonGraph scoreLOW confidence

This medium-severity CVE scores 6.5 under the CNA's CVSS (NVD's own analysis pending). EPSS exploit-prediction score not yet available (the EPSS model rescores nightly; freshly-published CVEs typically appear within 48 hours). GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).

Triggered by: NVD CVSS baseline
Sources: cna:github_m
6.5
EchelonGraph verdictMonitorLow exploitation likelihood right now — keep watching.
  • Lower severity and no public exploit yet
CISA-KEV: Not listedEPSS: CVSS: 6.5Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

zebrad has full node denial of service via non-ASCII LongPollId in getblocktemplate

Am I affected

You are affected if:

  • You run zebrad up to and including v4.4.1.
  • Your zebrad.toml sets rpc.listen_addr to a TCP address (RPC server is enabled).
  • An attacker can authenticate to the RPC endpoint. With the default enable_cookie_auth = true, this requires the attacker to read the .cookie file. With enable_cookie_auth = false, any network client reaching the RPC port can trigger it.

Summary

The getblocktemplate RPC handler panics when parsing a LongPollId parameter that contains non-ASCII (multi-byte UTF-8) characters. The handler performs byte-index string slicing on the user-supplied string, which panics in Rust when a byte index falls within a multi-byte character boundary. Because Zebra's release profile sets panic = "abort", the panic terminates the entire node process.

Details

The getblocktemplate handler receives a user-supplied LongPollId string and slices it at fixed byte offsets to extract the encoded tip hash and tip height. When the string contains multi-byte UTF-8 characters, a byte-index slice can land in the middle of a character, causing Rust's str indexing to panic with "byte index is not a char boundary."

Under the panic = "abort" release profile, this panic terminates the entire zebrad process rather than just the RPC task.

Patches

zebra-rpc 8.0.0 and zebrad 4.5.0.

Replace byte-index string slicing with character-aware parsing or validate that the LongPollId string contains only ASCII characters before slicing.

Workarounds

  • Disable the RPC server by removing rpc.listen_addr from zebrad.toml.
  • Ensure enable_cookie_auth = true (the default) and restrict filesystem access to the .cookie file.
  • Place a reverse proxy in front of the RPC port that validates LongPollId parameters are ASCII-only before forwarding.

Impact

A single authenticated RPC request terminates the zebrad process. Same impact profile as GHSA-c8w6-x74f-vmg3: repeatable on restart, affects mining pools and infrastructure that forward getblocktemplate calls.

Credit

Reported by @sangsoo-osec via a private GitHub Security Advisory submission.

CVSS v3
6.5
EG Score
6.5(low)
EPSS
KEV
Not listed

Published

July 2, 2026

Last Modified

July 2, 2026

Vendor Advisories for CVE-2026-52731(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

Data Freshness Timeline

(refreshed 5× in last 7d / 5× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

  1. 2026-07-06 22:18 UTCEG score recompute
  2. 2026-07-05 21:46 UTCEG score recompute
  3. 2026-07-04 21:13 UTCEG score recompute
  4. 2026-07-03 20:40 UTCEG score recompute
  5. 2026-07-02 20:07 UTCEG score recompute

Frequently asked(4)

What is CVE-2026-52731?
CVE-2026-52731 is a medium vulnerability published on July 2, 2026. zebrad has full node denial of service via non-ASCII LongPollId in getblocktemplate Am I affected You are affected if: 1. You run zebrad up to and including v4.4.1. 2. Your zebrad.toml sets rpc.listen_addr to a TCP address (RPC server is enabled). 3. An attacker can authenticate to the RPC…
When was CVE-2026-52731 disclosed?
CVE-2026-52731 was first published in the National Vulnerability Database on July 2, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
What is the CVSS score of CVE-2026-52731?
CVE-2026-52731 has a CVSS v4.0 base score of 6.5 (CNA self-assessment; NVD's own analysis pending). The EG score is currently aggregating — additional source signals are being incorporated as they become available..
How do I remediate CVE-2026-52731?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-52731, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

Explore the affected products and dependency analysis for CVE-2026-52731

Explore →

Is Your Infrastructure Affected by CVE-2026-52731?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.