Search
Find a vulnerability
Search criteria
6 vulnerabilities found for zebra-chain by zfnd
CVE-2026-44500 (GCVE-0-2026-44500)
Vulnerability from nvd – Published: 2026-05-08 15:10 – Updated: 2026-05-08 19:41
VLAI
Title
ZEBRA: Allocation Amplification in Inbound Network Deserializers
Summary
ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.4.0, prior to zebra-chain version 7.0.0, and prior to zebra-network version 6.0.0, several inbound deserialization paths in Zebra allocated buffers sized against generic transport or block-size ceilings before the tighter protocol or consensus limits were enforced. An unauthenticated or post-handshake peer could therefore force the node to preallocate and parse for orders of magnitude more data than the protocol intended, across headers messages, equihash solutions in block headers, Sapling spend vectors in V5/V4 transactions, and coinbase script bytes in blocks. This issue has been patched in zebrad version 4.4.0, zebra-chain version 7.0.0, and zebra-network version 6.0.0.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/ZcashFoundation/zebra/security… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| ZcashFoundation | zebra |
Affected:
zebrad < 4.4.0
Affected: zebra-chain < 7.0.0 Affected: zebra-network < 6.0.0 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44500",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-08T19:41:23.974951Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T19:41:46.471Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "zebra",
"vendor": "ZcashFoundation",
"versions": [
{
"status": "affected",
"version": "zebrad \u003c 4.4.0"
},
{
"status": "affected",
"version": "zebra-chain \u003c 7.0.0"
},
{
"status": "affected",
"version": "zebra-network \u003c 6.0.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.4.0, prior to zebra-chain version 7.0.0, and prior to zebra-network version 6.0.0, several inbound deserialization paths in Zebra allocated buffers sized against generic transport or block-size ceilings before the tighter protocol or consensus limits were enforced. An unauthenticated or post-handshake peer could therefore force the node to preallocate and parse for orders of magnitude more data than the protocol intended, across headers messages, equihash solutions in block headers, Sapling spend vectors in V5/V4 transactions, and coinbase script bytes in blocks. This issue has been patched in zebrad version 4.4.0, zebra-chain version 7.0.0, and zebra-network version 6.0.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T15:10:21.516Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-438q-jx8f-cccv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-438q-jx8f-cccv"
}
],
"source": {
"advisory": "GHSA-438q-jx8f-cccv",
"discovery": "UNKNOWN"
},
"title": "ZEBRA: Allocation Amplification in Inbound Network Deserializers"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44500",
"datePublished": "2026-05-08T15:10:21.516Z",
"dateReserved": "2026-05-06T18:28:20.886Z",
"dateUpdated": "2026-05-08T19:41:46.471Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-41584 (GCVE-0-2026-41584)
Vulnerability from nvd – Published: 2026-05-08 15:05 – Updated: 2026-05-08 16:04
VLAI
Title
ZEBRA: rk Identity Point Panic in Transaction Verification
Summary
ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.3.1 and prior to zebra-chain version 6.0.2, Orchard transactions contain a rk field which is a randomized validating key and also an elliptic curve point. The Zcash specification allows the field to be the identity (a "zero" value), however, the orchard crate which is used to verify Orchard proofs would panic when fed a rk with the identity value. Thus an attacker could send a crafted transaction that would make a Zebra node crash. This issue has been patched in zebrad version 4.3.1 and zebra-chain version 6.0.2.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-617 - Reachable Assertion
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/ZcashFoundation/zebra/security… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| ZcashFoundation | zebra |
Affected:
zebra-chain < 6.0.2
Affected: zebrad < 4.3.1 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41584",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-08T16:04:41.676690Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T16:04:49.931Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "zebra",
"vendor": "ZcashFoundation",
"versions": [
{
"status": "affected",
"version": "zebra-chain \u003c 6.0.2"
},
{
"status": "affected",
"version": "zebrad \u003c 4.3.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.3.1 and prior to zebra-chain version 6.0.2, Orchard transactions contain a rk field which is a randomized validating key and also an elliptic curve point. The Zcash specification allows the field to be the identity (a \"zero\" value), however, the orchard crate which is used to verify Orchard proofs would panic when fed a rk with the identity value. Thus an attacker could send a crafted transaction that would make a Zebra node crash. This issue has been patched in zebrad version 4.3.1 and zebra-chain version 6.0.2."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.2,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-617",
"description": "CWE-617: Reachable Assertion",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T15:05:06.070Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-452v-w3gx-72wg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-452v-w3gx-72wg"
}
],
"source": {
"advisory": "GHSA-452v-w3gx-72wg",
"discovery": "UNKNOWN"
},
"title": "ZEBRA: rk Identity Point Panic in Transaction Verification"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-41584",
"datePublished": "2026-05-08T15:05:06.070Z",
"dateReserved": "2026-04-21T14:15:21.959Z",
"dateUpdated": "2026-05-08T16:04:49.931Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34202 (GCVE-0-2026-34202)
Vulnerability from nvd – Published: 2026-03-31 14:02 – Updated: 2026-03-31 17:17
VLAI
Title
Zebra node crash — V5 transaction hash panic (P2P reachable)
Summary
ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.3.0 and zebra-chain version 6.0.1, a vulnerability in Zebra's transaction processing logic allows a remote, unauthenticated attacker to cause a Zebra node to panic (crash). This is triggered by sending a specially crafted V5 transaction that passes initial deserialization but fails during transaction ID calculation. This issue has been patched in zebrad version 4.3.0 and zebra-chain version 6.0.1.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/ZcashFoundation/zebra/security… | x_refsource_CONFIRM |
| https://github.com/ZcashFoundation/zebra/releases… | x_refsource_MISC |
| https://zfnd.org/zebra-4-3-0-critical-security-fi… | x_refsource_MISC |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| ZcashFoundation | zebra |
Affected:
< 4.3.0
|
|
| ZcashFoundation | zebra-chain |
Affected:
< 6.0.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34202",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-31T17:16:55.754237Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-31T17:17:30.860Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "zebra",
"vendor": "ZcashFoundation",
"versions": [
{
"status": "affected",
"version": "\u003c 4.3.0"
}
]
},
{
"product": "zebra-chain",
"vendor": "ZcashFoundation",
"versions": [
{
"status": "affected",
"version": "\u003c 6.0.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.3.0 and zebra-chain version 6.0.1, a vulnerability in Zebra\u0027s transaction processing logic allows a remote, unauthenticated attacker to cause a Zebra node to panic (crash). This is triggered by sending a specially crafted V5 transaction that passes initial deserialization but fails during transaction ID calculation. This issue has been patched in zebrad version 4.3.0 and zebra-chain version 6.0.1."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.2,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1336",
"description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-31T14:02:56.454Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-qp6f-w4r3-h8wg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-qp6f-w4r3-h8wg"
},
{
"name": "https://github.com/ZcashFoundation/zebra/releases/tag/v4.3.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ZcashFoundation/zebra/releases/tag/v4.3.0"
},
{
"name": "https://zfnd.org/zebra-4-3-0-critical-security-fixes-zip-235-support-and-performance-improvements",
"tags": [
"x_refsource_MISC"
],
"url": "https://zfnd.org/zebra-4-3-0-critical-security-fixes-zip-235-support-and-performance-improvements"
}
],
"source": {
"advisory": "GHSA-qp6f-w4r3-h8wg",
"discovery": "UNKNOWN"
},
"title": "Zebra node crash \u2014 V5 transaction hash panic (P2P reachable)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34202",
"datePublished": "2026-03-31T14:02:56.454Z",
"dateReserved": "2026-03-26T15:57:52.323Z",
"dateUpdated": "2026-03-31T17:17:30.860Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-44500 (GCVE-0-2026-44500)
Vulnerability from cvelistv5 – Published: 2026-05-08 15:10 – Updated: 2026-05-08 19:41
VLAI
Title
ZEBRA: Allocation Amplification in Inbound Network Deserializers
Summary
ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.4.0, prior to zebra-chain version 7.0.0, and prior to zebra-network version 6.0.0, several inbound deserialization paths in Zebra allocated buffers sized against generic transport or block-size ceilings before the tighter protocol or consensus limits were enforced. An unauthenticated or post-handshake peer could therefore force the node to preallocate and parse for orders of magnitude more data than the protocol intended, across headers messages, equihash solutions in block headers, Sapling spend vectors in V5/V4 transactions, and coinbase script bytes in blocks. This issue has been patched in zebrad version 4.4.0, zebra-chain version 7.0.0, and zebra-network version 6.0.0.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/ZcashFoundation/zebra/security… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| ZcashFoundation | zebra |
Affected:
zebrad < 4.4.0
Affected: zebra-chain < 7.0.0 Affected: zebra-network < 6.0.0 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44500",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-08T19:41:23.974951Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T19:41:46.471Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "zebra",
"vendor": "ZcashFoundation",
"versions": [
{
"status": "affected",
"version": "zebrad \u003c 4.4.0"
},
{
"status": "affected",
"version": "zebra-chain \u003c 7.0.0"
},
{
"status": "affected",
"version": "zebra-network \u003c 6.0.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.4.0, prior to zebra-chain version 7.0.0, and prior to zebra-network version 6.0.0, several inbound deserialization paths in Zebra allocated buffers sized against generic transport or block-size ceilings before the tighter protocol or consensus limits were enforced. An unauthenticated or post-handshake peer could therefore force the node to preallocate and parse for orders of magnitude more data than the protocol intended, across headers messages, equihash solutions in block headers, Sapling spend vectors in V5/V4 transactions, and coinbase script bytes in blocks. This issue has been patched in zebrad version 4.4.0, zebra-chain version 7.0.0, and zebra-network version 6.0.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T15:10:21.516Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-438q-jx8f-cccv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-438q-jx8f-cccv"
}
],
"source": {
"advisory": "GHSA-438q-jx8f-cccv",
"discovery": "UNKNOWN"
},
"title": "ZEBRA: Allocation Amplification in Inbound Network Deserializers"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44500",
"datePublished": "2026-05-08T15:10:21.516Z",
"dateReserved": "2026-05-06T18:28:20.886Z",
"dateUpdated": "2026-05-08T19:41:46.471Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-41584 (GCVE-0-2026-41584)
Vulnerability from cvelistv5 – Published: 2026-05-08 15:05 – Updated: 2026-05-08 16:04
VLAI
Title
ZEBRA: rk Identity Point Panic in Transaction Verification
Summary
ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.3.1 and prior to zebra-chain version 6.0.2, Orchard transactions contain a rk field which is a randomized validating key and also an elliptic curve point. The Zcash specification allows the field to be the identity (a "zero" value), however, the orchard crate which is used to verify Orchard proofs would panic when fed a rk with the identity value. Thus an attacker could send a crafted transaction that would make a Zebra node crash. This issue has been patched in zebrad version 4.3.1 and zebra-chain version 6.0.2.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-617 - Reachable Assertion
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/ZcashFoundation/zebra/security… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| ZcashFoundation | zebra |
Affected:
zebra-chain < 6.0.2
Affected: zebrad < 4.3.1 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41584",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-08T16:04:41.676690Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T16:04:49.931Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "zebra",
"vendor": "ZcashFoundation",
"versions": [
{
"status": "affected",
"version": "zebra-chain \u003c 6.0.2"
},
{
"status": "affected",
"version": "zebrad \u003c 4.3.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.3.1 and prior to zebra-chain version 6.0.2, Orchard transactions contain a rk field which is a randomized validating key and also an elliptic curve point. The Zcash specification allows the field to be the identity (a \"zero\" value), however, the orchard crate which is used to verify Orchard proofs would panic when fed a rk with the identity value. Thus an attacker could send a crafted transaction that would make a Zebra node crash. This issue has been patched in zebrad version 4.3.1 and zebra-chain version 6.0.2."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.2,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-617",
"description": "CWE-617: Reachable Assertion",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T15:05:06.070Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-452v-w3gx-72wg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-452v-w3gx-72wg"
}
],
"source": {
"advisory": "GHSA-452v-w3gx-72wg",
"discovery": "UNKNOWN"
},
"title": "ZEBRA: rk Identity Point Panic in Transaction Verification"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-41584",
"datePublished": "2026-05-08T15:05:06.070Z",
"dateReserved": "2026-04-21T14:15:21.959Z",
"dateUpdated": "2026-05-08T16:04:49.931Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34202 (GCVE-0-2026-34202)
Vulnerability from cvelistv5 – Published: 2026-03-31 14:02 – Updated: 2026-03-31 17:17
VLAI
Title
Zebra node crash — V5 transaction hash panic (P2P reachable)
Summary
ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.3.0 and zebra-chain version 6.0.1, a vulnerability in Zebra's transaction processing logic allows a remote, unauthenticated attacker to cause a Zebra node to panic (crash). This is triggered by sending a specially crafted V5 transaction that passes initial deserialization but fails during transaction ID calculation. This issue has been patched in zebrad version 4.3.0 and zebra-chain version 6.0.1.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/ZcashFoundation/zebra/security… | x_refsource_CONFIRM |
| https://github.com/ZcashFoundation/zebra/releases… | x_refsource_MISC |
| https://zfnd.org/zebra-4-3-0-critical-security-fi… | x_refsource_MISC |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| ZcashFoundation | zebra |
Affected:
< 4.3.0
|
|
| ZcashFoundation | zebra-chain |
Affected:
< 6.0.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34202",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-31T17:16:55.754237Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-31T17:17:30.860Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "zebra",
"vendor": "ZcashFoundation",
"versions": [
{
"status": "affected",
"version": "\u003c 4.3.0"
}
]
},
{
"product": "zebra-chain",
"vendor": "ZcashFoundation",
"versions": [
{
"status": "affected",
"version": "\u003c 6.0.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.3.0 and zebra-chain version 6.0.1, a vulnerability in Zebra\u0027s transaction processing logic allows a remote, unauthenticated attacker to cause a Zebra node to panic (crash). This is triggered by sending a specially crafted V5 transaction that passes initial deserialization but fails during transaction ID calculation. This issue has been patched in zebrad version 4.3.0 and zebra-chain version 6.0.1."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.2,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1336",
"description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-31T14:02:56.454Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-qp6f-w4r3-h8wg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-qp6f-w4r3-h8wg"
},
{
"name": "https://github.com/ZcashFoundation/zebra/releases/tag/v4.3.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ZcashFoundation/zebra/releases/tag/v4.3.0"
},
{
"name": "https://zfnd.org/zebra-4-3-0-critical-security-fixes-zip-235-support-and-performance-improvements",
"tags": [
"x_refsource_MISC"
],
"url": "https://zfnd.org/zebra-4-3-0-critical-security-fixes-zip-235-support-and-performance-improvements"
}
],
"source": {
"advisory": "GHSA-qp6f-w4r3-h8wg",
"discovery": "UNKNOWN"
},
"title": "Zebra node crash \u2014 V5 transaction hash panic (P2P reachable)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34202",
"datePublished": "2026-03-31T14:02:56.454Z",
"dateReserved": "2026-03-26T15:57:52.323Z",
"dateUpdated": "2026-03-31T17:17:30.860Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}