Description
ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.3.1 and prior to zebra-script version 5.0.2, after a refactoring, Zebra failed to validate a consensus rule that restricted the possible values of sighash hash types for V5 transactions which were enabled in the NU5 network upgrade. Zebra nodes could thus accept and eventually mine a block that would be considered invalid by zcashd nodes, creating a consensus split between Zebra and zcashd nodes. In a similar vein, for V4 transactions, Zebra mistakenly used the "canonical" hash type when computing the sighash while zcashd (correctly per the spec) uses the raw value, which could also crate a consensus split. This issue has been patched in zebrad version 4.3.1 and zebra-script version 5.0.2.
Published: 2026-05-08
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Zebra failed to enforce consensus rules that limit valid sighash hash types for V5 transactions introduced by NU5, allowing the node to accept transactions that other Zcash implementations deem invalid. Additionally, Zebra used the canonical hash type for V4 transactions instead of the raw value specified by the protocol, further diverging from the network consensus. These deviations can cause a Zebra node to mine blocks that are considered invalid by zcashd nodes, creating a split in the blockchain and risking double‑spend or orphaned blocks. The vulnerability is rooted in CWE‑573: Incomplete Definition of Countermeasure.

Affected Systems

The issue affects ZcashFoundation’s Zebra node implementations before versions 4.3.1 of zebrad and 5.0.2 of zebra‑script. Existing installations of these components that have not been upgraded are vulnerable.

Risk and Exploitability

The CVSS score of 9.3 indicates a critical impact, yet the EPSS score is unavailable and the flaw is not listed in KEV, suggesting the threat of exploitation is currently unverified. The likely attack vector is a malicious or compromised node that intentionally broadcasts blocks containing transactions that violate the updated sighash rules, exploiting the mismatch to trigger a consensus split. The outcome would be a diverted chain or degraded network stability, exposing participants to potential loss of funds or delayed confirmations.

Generated by OpenCVE AI on May 8, 2026 at 17:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade zebrad to version 4.3.1 or later.
  • Upgrade zebra-script to version 5.0.2 or later.
  • Re‑synchronize the node to ensure it rejects any stale or mis‑signed blocks and monitor for unexpected consensus changes.

Generated by OpenCVE AI on May 8, 2026 at 17:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-8m29-fpq5-89jj Zebra Vulnerable to Consensus Divergence in Transparent Sighash Hash-Type Handling
History

Sat, 09 May 2026 00:45:00 +0000

Type Values Removed Values Added
First Time appeared Zcashfoundation
Zcashfoundation zebra
Vendors & Products Zcashfoundation
Zcashfoundation zebra

Fri, 08 May 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 08 May 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Zfnd
Zfnd zebra-script
Zfnd zebrad
CPEs cpe:2.3:a:zfnd:zebra-script:*:*:*:*:*:rust:*:*
cpe:2.3:a:zfnd:zebrad:*:*:*:*:*:rust:*:*
Vendors & Products Zfnd
Zfnd zebra-script
Zfnd zebrad
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H'}

Fri, 08 May 2026 15:15:00 +0000

Type Values Removed Values Added
Description ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.3.1 and prior to zebra-script version 5.0.2, after a refactoring, Zebra failed to validate a consensus rule that restricted the possible values of sighash hash types for V5 transactions which were enabled in the NU5 network upgrade. Zebra nodes could thus accept and eventually mine a block that would be considered invalid by zcashd nodes, creating a consensus split between Zebra and zcashd nodes. In a similar vein, for V4 transactions, Zebra mistakenly used the "canonical" hash type when computing the sighash while zcashd (correctly per the spec) uses the raw value, which could also crate a consensus split. This issue has been patched in zebrad version 4.3.1 and zebra-script version 5.0.2.
Title ZEBRA: Consensus Divergence in Transparent Sighash Hash-Type Handling
Weaknesses CWE-573
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H'}

Subscriptions

Zcashfoundation Zebra
Zfnd Zebra-script Zebrad
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-08T19:42:57.297Z

Reserved: 2026-04-21T14:15:21.959Z

Link: CVE-2026-41583

cve-icon Vulnrichment

Updated: 2026-05-08T19:42:47.215Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-08T15:16:41.070

Modified: 2026-05-08T18:44:58.830

Link: CVE-2026-41583

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-09T00:30:20Z

Weaknesses