Description
Zcash zcashd before 6.12.0 allows invalid transactions to be accepted under certain conditions, which potentially could have resulted in the draining of user funds from the Sprout pool. It was sometimes not verifying Sprout proofs.
Published: 2026-04-05
Score: 3.5 Low
EPSS: < 1% Very Low
KEV: No
Impact: Potential Loss of User Funds
Action: Upgrade
AI Analysis

Impact

This vulnerability allows Zcash zcashd to accept invalid transactions under certain conditions, potentially causing unauthorized transfer of user funds from the Sprout pool because the node sometimes fails to verify Sprout proofs. The weakness, identified as CWE‑358, results in an integrity breach that could allow an attacker to drain funds that should have been protected by cryptographic validation.

Affected Systems

The issue affects the Zcash daemon (zcashd) in all releases prior to version 6.12.0. Any node using those earlier builds without the patch may be vulnerable, regardless of operating system or deployment environment.

Risk and Exploitability

The CVSS score of 3.5 indicates low severity, and the vulnerability is not listed in the CISA KEV catalog, suggesting limited widespread exploitation. However, the attack vector is inferred to be remote: a threat actor could craft a malicious transaction and broadcast it to a vulnerable node, leveraging the lack of proof verification to create phantom balances. Since no EPSS score is available, the exact exploitation probability is uncertain, but the potential financial impact warrants remediation.

Generated by OpenCVE AI on April 6, 2026 at 00:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to zcashd version 6.12.0 or later to ensure correct Sprout proof verification.

Generated by OpenCVE AI on April 6, 2026 at 00:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Title Potential Sprout Pool Funds Drainage via Accepting Invalid Transactions
First Time appeared Zcash
Zcash zcashd
Vendors & Products Zcash
Zcash zcashd

Mon, 06 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 05 Apr 2026 22:00:00 +0000

Type Values Removed Values Added
Description Zcash zcashd before 6.12.0 allows invalid transactions to be accepted under certain conditions, which potentially could have resulted in the draining of user funds from the Sprout pool. It was sometimes not verifying Sprout proofs.
Weaknesses CWE-358
References
Metrics cvssV3_1

{'score': 3.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N'}

Subscriptions

Zcash Zcashd
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-06T14:04:35.190Z

Reserved: 2026-04-05T21:26:58.043Z

Link: CVE-2026-35679

cve-icon Vulnrichment

Updated: 2026-04-06T14:04:22.508Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-05T22:16:01.193

Modified: 2026-04-07T13:20:35.010

Link: CVE-2026-35679

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-06T21:48:10Z

Weaknesses