Description
ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.3.0 and zebra-chain version 6.0.1, a vulnerability in Zebra's transaction processing logic allows a remote, unauthenticated attacker to cause a Zebra node to panic (crash). This is triggered by sending a specially crafted V5 transaction that passes initial deserialization but fails during transaction ID calculation. This issue has been patched in zebrad version 4.3.0 and zebra-chain version 6.0.1.
Published: 2026-03-31
Score: 9.2 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Node crash causing denial of service
Action: Immediate patch
AI Analysis

Impact

A remote unauthenticated attacker can crash a Zebra node by sending a specially crafted V5 transaction that passes initial deserialization but fails during transaction ID calculation, forcing a panic in the transaction processing logic. This results in a denial of service, disrupting the node’s availability for a participant in the Zcash network.

Affected Systems

The vulnerability affects Zcash Foundation’s Zebra node and Zebra-chain software versions prior to zebrad 4.3.0 and zebra-chain 6.0.1. Only these older releases are impacted; newer releases incorporate the fix.

Risk and Exploitability

The CVSS score of 9.2 indicates high severity, while the EPSS score of less than 1% suggests a low probability of widespread exploitation. The issue is not listed in the CISA KEV catalog. The attack vector is P2P reachable, meaning a remote attacker can trigger the crash by sending the crafted transaction over the network, without any authentication.

Generated by OpenCVE AI on April 7, 2026 at 23:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the zebra v4.3.0 or zebra-chain v6.0.1 update and restart the node

Generated by OpenCVE AI on April 7, 2026 at 23:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-qp6f-w4r3-h8wg Zebra node crash — V5 transaction hash panic (P2P reachable)
History

Tue, 07 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Zfnd
Zfnd zebra
Zfnd zebra-chain
Weaknesses CWE-502
CPEs cpe:2.3:a:zfnd:zebra-chain:*:*:*:*:*:rust:*:*
cpe:2.3:a:zfnd:zebra:*:*:*:*:*:rust:*:*
Vendors & Products Zfnd
Zfnd zebra
Zfnd zebra-chain
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Zcashfoundation
Zcashfoundation zebra
Zcashfoundation zebra-chain
Vendors & Products Zcashfoundation
Zcashfoundation zebra
Zcashfoundation zebra-chain

Tue, 31 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 14:30:00 +0000

Type Values Removed Values Added
Description ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.3.0 and zebra-chain version 6.0.1, a vulnerability in Zebra's transaction processing logic allows a remote, unauthenticated attacker to cause a Zebra node to panic (crash). This is triggered by sending a specially crafted V5 transaction that passes initial deserialization but fails during transaction ID calculation. This issue has been patched in zebrad version 4.3.0 and zebra-chain version 6.0.1.
Title Zebra node crash — V5 transaction hash panic (P2P reachable)
Weaknesses CWE-1336
CWE-94
References
Metrics cvssV4_0

{'score': 9.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H'}

Subscriptions

Zcashfoundation Zebra Zebra-chain
Zfnd Zebra Zebra-chain
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-31T17:17:30.860Z

Reserved: 2026-03-26T15:57:52.323Z

Link: CVE-2026-34202

cve-icon Vulnrichment

Updated: 2026-03-31T17:17:26.784Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-31T15:16:17.860

Modified: 2026-04-07T21:02:10.667

Link: CVE-2026-34202

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T20:00:20Z

Weaknesses