Description
ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.4.0 and prior to zebra-script version 6.0.0, the fix for CVE-2026-41583 introduced a separate issue due to insufficient error handling of the case where the sighash type is invalid, during sighash computation. Instead of returning an error, the normal flow would resume, and the input sighash buffer would be left untouched. In scenarios where a previous signature validation could leave a valid sighash in the buffer, an invalid hash-type could be incorrectly accepted, which would create a consensus split between Zebra and zcashd nodes. This issue has been patched in zebrad version 4.4.0 and zebra-script version 6.0.0.
Published: 2026-05-08
Score: 9.3 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw is in Zebra’s handling of the sighash type. An invalid hash type is not reported as an error, causing the code to continue and leaving the sighash buffer unchanged. If the buffer already holds a valid sighash from a prior signature validation, a subsequent transaction can reuse that stale value even though the new hash type is invalid. The transaction is then incorrectly accepted on a Zebra node while a compliant node, such as zcashd, would reject it, creating a split in the consensus chain. This undermines the integrity of the network by enabling two separate blockchains to coexist.

Affected Systems

ZcashFoundation’s Zebra node in versions of zebrad earlier than 4.4.0 and zebra-script earlier than 6.0.0 is affected. Anyone running a full Zebra node or masternode before these version thresholds must be aware of the risk.

Risk and Exploitability

With a CVSS score of 9.3 the vulnerability is classified as critical. The EPSS score is unavailable, and the issue is not listed in the CISA KEV catalog. The attack vector requires only the transmission of a specially crafted transaction over the network; no privileged access is needed. If executed, the inconsistency can produce a forking event that compromises the network’s availability and potentially leads to double spending until the patch is applied.

Generated by OpenCVE AI on May 8, 2026 at 19:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade zebrad to version 4.4.0 or newer and zebra-script to version 6.0.0 or newer
  • Restart the node after applying the updated binaries to ensure the patch takes effect
  • Monitor the blockchain for any consensus anomalies or unexpected transaction rejections and alert administrators if such events occur

Generated by OpenCVE AI on May 8, 2026 at 19:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-gq4h-3grw-2rhv Zebra has Consensus Divergence in Transparent Sighash Hash-Type Handling due to Stale Buffer
History

Fri, 08 May 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Zfnd
Zfnd zebra-script
Zfnd zebrad
CPEs cpe:2.3:a:zfnd:zebra-script:*:*:*:*:*:rust:*:*
cpe:2.3:a:zfnd:zebrad:*:*:*:*:*:rust:*:*
Vendors & Products Zfnd
Zfnd zebra-script
Zfnd zebrad
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H'}

Fri, 08 May 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 08 May 2026 15:15:00 +0000

Type Values Removed Values Added
Description ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.4.0 and prior to zebra-script version 6.0.0, the fix for CVE-2026-41583 introduced a separate issue due to insufficient error handling of the case where the sighash type is invalid, during sighash computation. Instead of returning an error, the normal flow would resume, and the input sighash buffer would be left untouched. In scenarios where a previous signature validation could leave a valid sighash in the buffer, an invalid hash-type could be incorrectly accepted, which would create a consensus split between Zebra and zcashd nodes. This issue has been patched in zebrad version 4.4.0 and zebra-script version 6.0.0.
Title ZEBRA: Consensus Divergence in Transparent Sighash Hash-Type Handling due to Stale Buffer
Weaknesses CWE-347
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H'}

Subscriptions

Zfnd Zebra-script Zebrad
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-08T15:48:10.020Z

Reserved: 2026-05-06T18:28:20.886Z

Link: CVE-2026-44497

cve-icon Vulnrichment

Updated: 2026-05-08T15:48:03.193Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-08T15:17:01.493

Modified: 2026-05-08T18:42:24.100

Link: CVE-2026-44497

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T19:15:14Z

Weaknesses