CVE Catalog

CVE-2026-41583

Critical
Published: Translated: NVD NIST

Summary

ZEBRA, a Zcash node written in Rust, prior to zebrad version 4.3.1 and zebra-script version 5.0.2, failed to validate a consensus rule regarding hash types for V5 transactions, potentially leading to a consensus split. Additionally, for V4 transactions, an incorrect hash type was used, which could also result in a consensus split.

Risk Assessment

The organization may face consensus issues within the Zcash network, leading to the acceptance of invalid blocks by Zebra nodes, potentially resulting in financial losses and data integrity problems.

Recommendation

It is recommended to upgrade to zebrad version 4.3.1 and zebra-script version 5.0.2 to mitigate this vulnerability and ensure compliance with consensus rules.

Original NVD description (English source)

ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.3.1 and prior to zebra-script version 5.0.2, after a refactoring, Zebra failed to validate a consensus rule that restricted the possible values of sighash hash types for V5 transactions which were enabled in the NU5 network upgrade. Zebra nodes could thus accept and eventually mine a block that would be considered invalid by zcashd nodes, creating a consensus split between Zebra and zcashd nodes. In a similar vein, for V4 transactions, Zebra mistakenly used the "canonical" hash type when computing the sighash while zcashd (correctly per the spec) uses the raw value, which could also crate a consensus split. This issue has been patched in zebrad version 4.3.1 and zebra-script version 5.0.2.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS