CVE-2026-41583
Zcash Foundation · Zebra
Zebra node software fails to properly validate consensus rules for V5 and V4 transaction sighash types, potentially leading to a consensus split between Zebra and zcashd nodes.
Executive summary
A critical consensus validation flaw in the Zebra node software allows for transaction handling discrepancies that can lead to network splits and potential service disruption.
Vulnerability
This is a consensus logic error where the software fails to correctly validate sighash hash types for V5 and V4 transactions. The vulnerability is triggered by network-level transaction processing and does not require specific user authentication to manifest as a consensus split.
Business impact
The vulnerability poses a severe risk to the integrity and availability of the Zcash network for nodes running Zebra. A successful exploitation creates a consensus split, effectively causing a fork in the blockchain where Zebra nodes accept transactions that zcashd nodes reject, leading to significant financial and operational instability. Given the CVSS score of 9.1, this is classified as a critical infrastructure risk.
Remediation
Immediate Action: Upgrade all instances of zebrad to version 4.3.1 and zebra-script to version 5.0.2 immediately.
Proactive Monitoring: Monitor node logs for synchronization errors, block validation failures, or unexpected forks compared to the primary zcashd network.
Compensating Controls: Ensure nodes are isolated within secure network segments and restrict peer-to-peer connections to trusted, verified nodes to mitigate the risk of malicious transaction propagation.
Exploitation status
Public Exploit Available: Not specified
Analyst recommendation
Operators of Zebra nodes must prioritize the update to the patched versions to restore consensus alignment with the broader Zcash network. Failure to apply these updates may result in nodes becoming desynchronized and unable to process valid network transactions.