Description
ZEBRA is a Zcash node written entirely in Rust. Prior to version 4.4.0, Zebra's block validator undercounts transparent signature operations against the 20000-sigop block limit (MAX_BLOCK_SIGOPS), allowing it to accept blocks that zcashd rejects with bad-blk-sigops. A miner who produces such a block can split the network: Zebra nodes follow the offending chain while zcashd nodes do not. This issue has been patched in version 4.4.0.
Published: 2026-05-08
Score: 9.2 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Zebra’s block validator fails to count all transparent signature operations when evaluating a block, allowing blocks that exceed the 20,000‑operation limit to be accepted by Zebra but rejected by other Zcash implementations. A miner can therefore produce a block that Zebra will accept and others will refuse, creating a divergence in the blockchain.

Affected Systems

All Zebra nodes running any version earlier than 4.4.0 are vulnerable. The patch that corrects the sigop counting logic is contained in Zebra v4.4.0 and later.

Risk and Exploitability

The CVSS score of 9.2 indicates a critical risk. EPSS data is unavailable, and the vulnerability is not listed in the CISA KEV catalog, which does not reduce its severity. The flaw can be exploited without special access; any miner or individual capable of submitting a block with an inflated signature‑operation count can trigger the issue. Acceptance of such a block by Zebra nodes would cause them to diverge from the broader Zcash network, leading to a network split.

Generated by OpenCVE AI on May 8, 2026 at 19:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Zebra to version 4.4.0 or newer to apply the fixed sigop counting logic.
  • Ensure that your node is fully synchronized with the main Zcash network and that it does not process blocks whose sigop counts exceed 20,000.
  • Monitor the node for inconsistencies in block acceptance and verify that the chain tip agrees with other full nodes to detect a potential split.

Generated by OpenCVE AI on May 8, 2026 at 19:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-jv4h-j224-23cc Zebra's Block Validator Undercounts Coinbase and P2SH Sigops
History

Fri, 08 May 2026 23:30:00 +0000

Type Values Removed Values Added
First Time appeared Zcashfoundation
Zcashfoundation zebra
Vendors & Products Zcashfoundation
Zcashfoundation zebra

Fri, 08 May 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Zfnd
Zfnd zebrad
CPEs cpe:2.3:a:zfnd:zebrad:*:*:*:*:*:rust:*:*
Vendors & Products Zfnd
Zfnd zebrad
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Fri, 08 May 2026 15:15:00 +0000

Type Values Removed Values Added
Description ZEBRA is a Zcash node written entirely in Rust. Prior to version 4.4.0, Zebra's block validator undercounts transparent signature operations against the 20000-sigop block limit (MAX_BLOCK_SIGOPS), allowing it to accept blocks that zcashd rejects with bad-blk-sigops. A miner who produces such a block can split the network: Zebra nodes follow the offending chain while zcashd nodes do not. This issue has been patched in version 4.4.0.
Title ZEBRA: Block Validator Undercounts Coinbase and P2SH Sigops
Weaknesses CWE-682
References
Metrics cvssV4_0

{'score': 9.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N'}

Subscriptions

Zcashfoundation Zebra
Zfnd Zebrad
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-08T15:09:09.919Z

Reserved: 2026-05-06T18:28:20.886Z

Link: CVE-2026-44498

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-08T15:17:01.637

Modified: 2026-05-08T18:40:55.383

Link: CVE-2026-44498

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T23:15:20Z

Weaknesses