GHSA-PVMV-CWG8-V6C8

Vulnerability from github – Published: 2026-05-08 18:27 – Updated: 2026-05-08 18:27
VLAI?
Summary
Zebra v4.4.0 still accepts V5 SIGHASH_SINGLE without a corresponding output
Details

Consensus Divergence in V5 Transparent SIGHASH_SINGLE With No Corresponding Output

Summary

Zebra failed to enforce a ZIP-244 consensus rule for V5 transparent transactions: when an input is signed with SIGHASH_SINGLE and there is no transparent output at the same index as that input, validation must fail. Zebra instead asked the underlying sighash library to compute a digest, and that library produced a digest over an empty output set rather than failing. An attacker could craft a V5 transaction with more transparent inputs than outputs that Zebra accepts but zcashd rejects, creating a consensus split between Zebra and zcashd nodes.

A previous fix (GHSA-cwfq-rfcr-8hmp) addressed a closely related case in the same area of the code, but did not cover this specific one.

Severity

Critical - This is a Consensus Vulnerability that could allow a malicious party to induce network partitioning, service disruption, and potential double-spend attacks against affected nodes.

Note that the impact is currently alleviated by the fact that currently most miners run zcashd.

Affected Versions

Zebra 4.4.0.

Description

Verification of transparent transactions inherits the Bitcoin Script verification code in C++. Since it is consensus-critical, this code is called from Zebra through a foreign function interface (FFI), with a Rust callback that computes the sighash for each input being verified.

ZIP-244 §S.2a marks two situations as consensus failure for V5 transparent signatures:

  1. The signed hash type is not one of the six canonical values; and
  2. The hash type is SIGHASH_SINGLE (alone or combined with ANYONECANPAY) and the input has no transparent output at the same index.

zcashd enforces both rules: its SignatureHash raises an exception, and CheckSig catches it and fails the script. A previous fix (GHSA-cwfq-rfcr-8hmp) added the first rule to Zebra's V5 sighash callback. The second rule, however, was not added — Zebra's callback forwarded the request to librustzcash's ZIP-244 implementation, which handles an out-of-range SIGHASH_SINGLE output index by hashing an empty output set rather than refusing to produce a digest. As a result, Zebra would compute a well-defined sighash for the missing-output case and accept any signature that verified against it.

An attacker could exploit this by:

  • Constructing a V5 transaction with two or more transparent inputs and fewer transparent outputs;
  • Signing an input whose index has no matching vout entry with SIGHASH_SINGLE (0x03) or SIGHASH_SINGLE|ANYONECANPAY (0x83), using the digest Zebra computes;
  • Broadcasting the transaction, or a block containing it, to the network.

Zebra would verify the transaction's transparent script and accept the transaction (and any block containing it), while zcashd would reject both, splitting Zebra nodes from the rest of the network.

Impact

Consensus Failure

  • Attack Vector: Network.
  • Effect: Network partition/consensus split.
  • Scope: Any affected Zebra node.

Fixed Versions

This issue is fixed in Zebra 4.4.1.

Mitigation

Users should upgrade to Zebra 4.4.1 or later immediately.

There are no known workarounds for this issue. Immediate upgrade is the only way to ensure the node remains on the correct consensus path and is protected against malicious chain forks.

Credits

Zebra thanks @sangsoo-osec, @zmanian, and @fivelittleducks for finding and reporting the issue.

Severity ?
9.3 (Critical)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "zebrad"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.4.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "zebra-script"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-573",
      "CWE-354"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-08T18:27:26Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "# Consensus Divergence in V5 Transparent SIGHASH_SINGLE With No Corresponding Output\n\n## Summary\n\nZebra failed to enforce a ZIP-244 consensus rule for V5 transparent transactions: when an input is signed with `SIGHASH_SINGLE` and there is no transparent output at the same index as that input, validation must fail. Zebra instead asked the underlying sighash library to compute a digest, and that library produced a digest over an empty output set rather than failing. An attacker could craft a V5 transaction with more transparent inputs than outputs that Zebra accepts but `zcashd` rejects, creating a consensus split between Zebra and `zcashd` nodes.\n\nA previous fix ([`GHSA-cwfq-rfcr-8hmp`](https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-cwfq-rfcr-8hmp)) addressed a closely related case in the same area of the code, but did not cover this specific one. \n\n## Severity\n\n**Critical** - This is a Consensus Vulnerability that could allow a malicious party to induce network partitioning, service disruption, and potential double-spend attacks against affected nodes.\n\nNote that the impact is currently alleviated by the fact that currently most miners run `zcashd`.\n\n## Affected Versions\n\nZebra 4.4.0.\n\n## Description\n\nVerification of transparent transactions inherits the Bitcoin Script verification code in C++. Since it is consensus-critical, this code is called from Zebra through a foreign function interface (FFI), with a Rust callback that computes the sighash for each input being verified.\n\nZIP-244 \u00a7S.2a marks two situations as consensus failure for V5 transparent signatures:\n\n1. The signed hash type is not one of the six canonical values; and\n2. The hash type is `SIGHASH_SINGLE` (alone or combined with `ANYONECANPAY`) and the input has no transparent output at the same index.\n\n`zcashd` enforces both rules: its `SignatureHash` raises an exception, and `CheckSig` catches it and fails the script. A previous fix (`GHSA-cwfq-rfcr-8hmp`) added the first rule to Zebra\u0027s V5 sighash callback. The second rule, however, was not added \u2014 Zebra\u0027s callback forwarded the request to `librustzcash`\u0027s ZIP-244 implementation, which handles an out-of-range `SIGHASH_SINGLE` output index by hashing an empty output set rather than refusing to produce a digest. As a result, Zebra would compute a well-defined sighash for the missing-output case and accept any signature that verified against it.\n\nAn attacker could exploit this by:\n\n- Constructing a V5 transaction with two or more transparent inputs and fewer transparent outputs;\n- Signing an input whose index has no matching `vout` entry with `SIGHASH_SINGLE` (`0x03`) or `SIGHASH_SINGLE|ANYONECANPAY` (`0x83`), using the digest Zebra computes;\n- Broadcasting the transaction, or a block containing it, to the network.\n\nZebra would verify the transaction\u0027s transparent script and accept the transaction (and any block containing it), while `zcashd` would reject both, splitting Zebra nodes from the rest of the network.\n\n## Impact\n\n**Consensus Failure**\n\n- **Attack Vector:** Network.\n- **Effect:** Network partition/consensus split.\n- **Scope:** Any affected Zebra node.\n\n## Fixed Versions\n\nThis issue is fixed in Zebra 4.4.1.\n\n## Mitigation\n\nUsers should upgrade to Zebra 4.4.1 or later immediately.\n\nThere are no known workarounds for this issue. Immediate upgrade is the only way to ensure the node remains on the correct consensus path and is protected against malicious chain forks.\n\n## Credits\n\nZebra thanks @sangsoo-osec, @zmanian, and @fivelittleducks for finding and reporting the issue.",
  "id": "GHSA-pvmv-cwg8-v6c8",
  "modified": "2026-05-08T18:27:26Z",
  "published": "2026-05-08T18:27:26Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-pvmv-cwg8-v6c8"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ZcashFoundation/zebra"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Zebra v4.4.0 still accepts V5 SIGHASH_SINGLE without a corresponding output"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.