Description
ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.3.0 and zebra-consensus version 5.0.1, a logic error in Zebra's transaction verification cache could allow a malicious miner to induce a consensus split. By matching a valid transaction's txid while providing invalid authorization data, a miner could cause vulnerable Zebra nodes to accept an invalid block, leading to a consensus split from the rest of the Zcash network. This would not allow invalid transactions to be accepted but could result in a consensus split between vulnerable Zebra nodes and invulnerable Zebra and Zcashd nodes. This issue has been patched in zebrad version 4.3.0 and zebra-consensus version 5.0.1.
Published: 2026-03-31
Score: 8.4 High
EPSS: < 1% Very Low
KEV: No
Impact: Consensus split between vulnerable Zebra nodes and the broader Zcash network
Action: Patch immediately
AI Analysis

Impact

A logic error in Zebra’s transaction verification cache allows a malicious miner to inject a block that appears to contain a valid transaction but carries invalid authorization data. Although the invalid transaction itself is not accepted, the block can be considered valid by vulnerable nodes, resulting in a consensus split with other Zcash nodes. This flaw does not the allow arbitrary code execution or data disclosure but can disrupt network integrity and reduce the reliability of affected nodes.

Affected Systems

ZcashFoundation’s Zebra node software and its accompanying zebra‑consensus component are impacted. Any installation of zebrad versions earlier than 4.3.0 or zebra‑consensus earlier than 5.0.1 is vulnerable. Modern releases that meet or exceed these version thresholds have the issue patched.

Risk and Exploitability

The vulnerability carries a CVSS score of 8.4, indicating high severity, but the EPSS score is below 1 %, suggesting a low likelihood of exploitation in the wild. It is not listed in the CISA KEV catalog. Exploitation requires a malicious miner generating a forged block that the node will accept due to the cache logic flaw; the attacker must be able to breed the node into accepting the block through normal network communication. The lack of a direct denial of service or privilege escalation barrier means that while system integrity is compromised, the vulnerability may be difficult to trigger without the attacker’s participation in the consensus process.

Generated by OpenCVE AI on April 6, 2026 at 21:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade zebrad to version 4.3.0 or later
  • Upgrade zebra-consensus to version 5.0.1 or later
  • Restart the Zebra node to load the updated code
  • Verify that the node’s software version is current before allowing new blocks

Generated by OpenCVE AI on April 6, 2026 at 21:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-3vmh-33xr-9cqh Zebra has a Consensus Failure due to Improper Verification of V5 Transactions
History

Mon, 06 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Zfnd
Zfnd zebra
Zfnd zebra-consensus
CPEs cpe:2.3:a:zfnd:zebra-consensus:*:*:*:*:*:rust:*:*
cpe:2.3:a:zfnd:zebra:*:*:*:*:*:rust:*:*
Vendors & Products Zfnd
Zfnd zebra
Zfnd zebra-consensus
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H'}

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Zcashfoundation
Zcashfoundation zebra
Zcashfoundation zebra-consensus
Vendors & Products Zcashfoundation
Zcashfoundation zebra
Zcashfoundation zebra-consensus

Tue, 31 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 14:30:00 +0000

Type Values Removed Values Added
Description ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.3.0 and zebra-consensus version 5.0.1, a logic error in Zebra's transaction verification cache could allow a malicious miner to induce a consensus split. By matching a valid transaction's txid while providing invalid authorization data, a miner could cause vulnerable Zebra nodes to accept an invalid block, leading to a consensus split from the rest of the Zcash network. This would not allow invalid transactions to be accepted but could result in a consensus split between vulnerable Zebra nodes and invulnerable Zebra and Zcashd nodes. This issue has been patched in zebrad version 4.3.0 and zebra-consensus version 5.0.1.
Title Zebra has a Consensus Failure due to Improper Verification of V5 Transactions
Weaknesses CWE-347
References
Metrics cvssV4_0

{'score': 8.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H'}

Subscriptions

Zcashfoundation Zebra Zebra-consensus
Zfnd Zebra Zebra-consensus
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-31T17:18:12.932Z

Reserved: 2026-03-27T13:43:14.370Z

Link: CVE-2026-34377

cve-icon Vulnrichment

Updated: 2026-03-31T17:18:09.921Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-31T15:16:19.233

Modified: 2026-04-06T16:57:21.713

Link: CVE-2026-34377

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T08:08:07Z

Weaknesses