CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-52829

highCVSS 7.5covered by 1 sourcefirst seen 2026-07-02
Am I affected You are affected if: 1. You run zebrad up to and including v4.4.1. 2. Your node listens on the default [::] address on a Linux host (the standard deployment configuration — net.ipv6.bindv6only=0 is the default on all common Linux distributions). 3. Your node is synced near the chain tip (the expected production state for any node participating in the network). Summary An address normalization mismatch between the handshake path and the mempool misbehavior path causes a deterministic assertion panic when a peer connects via IPv4 to a dual-stack IPv6 listener and then triggers a mempool misbehavior penalty. The handshake path canonicalizes IPv4-mapped IPv6 addresses to plain IPv4 when storing the peer in the address book via MetaAddr::new_connected. The mempool misbehavior path forwards the raw transient socket address (IPv4-mapped IPv6 form) when sending MetaAddrChange::UpdateMisbehavior to the address book. The address book looks up the canonical IPv4 entry but then asserts that the previous entry's address matches the change's address. The mismatch between the canonical IPv4 address and the raw IPv4-mapped IPv6 address triggers the assertion, and panic = "abort" terminates the process. Details On Linux with net.ipv6.bindv6only=0, an IPv4 connection accepted by a [::] listener is represented internally as an IPv4-mapped IPv6 socket address (e.g., ::ffff:127.0.0.1:8233). Zebra's canonical_peer_addr helper converts these to plain IPv4 (e.g., 127.0.0.1:8233). The handshake path uses MetaAddr::new_connected, which canonicalizes the address before storing in the address book. However, inbound inventory registration uses connected_addr.get_transient_addr(), preserving the raw IPv4-mapped form. When the mempool later downloads an invalid transaction from this peer and generates a misbehavior penalty, the raw transient address is forwarded through the misbehavior channel to MetaAddrChange::UpdateMisbehavior, wh

⚡ Watch CVE-2026-52829

Get an email if CVE-2026-52829 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Advisory coverage (1)

External references

NVD record for CVE-2026-52829

CVE.org record

Embed the live status

CVE-2026-52829 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-52829 status](https://www.csirts.com/badge/CVE-2026-52829)](https://www.csirts.com/cve/CVE-2026-52829)