Transaction Processing Vulnerability in ZEBRA Node by Zcash Foundation
CVE-2026-34202

9.2CRITICAL

Key Information:

Vendor

Zcashfoundation

Status
Zebra
Zebra-chain
Vendor
CVE Published:
31 March 2026

What is CVE-2026-34202?

A critical flaw in the ZEBRA node's transaction processing logic allows remote, unauthenticated attackers to trigger a crash. This vulnerability occurs when a specially crafted V5 transaction is sent, passing initial deserialization but failing during transaction ID calculation, resulting in a panic state. The issue has been addressed in the latest releases of zebrad 4.3.0 and zebra-chain 6.0.1, ensuring enhanced stability and security.

Affected Version(s)

zebra < 4.3.0

zebra-chain < 6.0.1

References

https://github.com/ZcashFoundation/zebra/security/advisor...
x_refsource_CONFIRM
https://github.com/ZcashFoundation/zebra/releases/tag/v4.3.0
x_refsource_MISC
https://zfnd.org/zebra-4-3-0-critical-security-fixes-zip-...
x_refsource_MISC

CVSS V4

Score:
9.2
Severity:
CRITICAL
Confidentiality:
None
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.