Description
ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.3.1 and prior to zebra-chain version 6.0.2, Orchard transactions contain a rk field which is a randomized validating key and also an elliptic curve point. The Zcash specification allows the field to be the identity (a "zero" value), however, the orchard crate which is used to verify Orchard proofs would panic when fed a rk with the identity value. Thus an attacker could send a crafted transaction that would make a Zebra node crash. This issue has been patched in zebrad version 4.3.1 and zebra-chain version 6.0.2.
Published: 2026-05-08
Score: 9.2 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A malformed Orchard transaction may contain an rk (randomized validating key) set to the elliptic curve identity point, which is allowed by the Zcash specification but causes a panic in the orchid crate used by ZEBRA node verification. The panic terminates the node, resulting in a loss of service availability. This flaw is a classic instance of a bad input leading to code execution path failure and is classified as CWE‑617.

Affected Systems

The vulnerability affects node implementations built on the ZcashFoundation:zebra framework, specifically versions of zebrad earlier than 4.3.1 and zebra-chain earlier than 6.0.2.

Risk and Exploitability

The CVSS score of 9.2 indicates a high severity exploitability. No EPSS score is currently available, and the issue is not listed in the CISA KEV catalog. An attacker can craft a transaction containing an identity rk value and inject it into any Zebra node’s transaction pool, which is generally reachable over the network. No privileged local access or additional preconditions are required, making the attack remotely feasible.

Generated by OpenCVE AI on May 8, 2026 at 17:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade zebrad to version 4.3.1 or later
  • Upgrade zebra-chain to version 6.0.2 or later
  • Continuously monitor node logs for unexpected crashes or high re‑sync activity

Generated by OpenCVE AI on May 8, 2026 at 17:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-452v-w3gx-72wg Zebra has rk Identity Point Panic in Transaction Verification
History

Fri, 08 May 2026 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Zfnd
Zfnd zebra-chain
Zfnd zebrad
CPEs cpe:2.3:a:zfnd:zebra-chain:*:*:*:*:*:rust:*:*
cpe:2.3:a:zfnd:zebrad:*:*:*:*:*:rust:*:*
Vendors & Products Zfnd
Zfnd zebra-chain
Zfnd zebrad
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Fri, 08 May 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 08 May 2026 15:15:00 +0000

Type Values Removed Values Added
Description ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.3.1 and prior to zebra-chain version 6.0.2, Orchard transactions contain a rk field which is a randomized validating key and also an elliptic curve point. The Zcash specification allows the field to be the identity (a "zero" value), however, the orchard crate which is used to verify Orchard proofs would panic when fed a rk with the identity value. Thus an attacker could send a crafted transaction that would make a Zebra node crash. This issue has been patched in zebrad version 4.3.1 and zebra-chain version 6.0.2.
Title ZEBRA: rk Identity Point Panic in Transaction Verification
Weaknesses CWE-617
References
Metrics cvssV4_0

{'score': 9.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H'}

Subscriptions

Zfnd Zebra-chain Zebrad
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-08T16:04:49.931Z

Reserved: 2026-04-21T14:15:21.959Z

Link: CVE-2026-41584

cve-icon Vulnrichment

Updated: 2026-05-08T16:04:46.090Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-08T15:16:41.240

Modified: 2026-05-08T18:21:13.283

Link: CVE-2026-41584

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T18:00:16Z

Weaknesses