Logic Error in Zcash Node Software Affects Zebra by Zcash Foundation
CVE-2026-34377

8.4HIGH

Key Information:

Vendor

Zcashfoundation

Status
Zebra
Zebra-consensus
Vendor
CVE Published:
31 March 2026

What is CVE-2026-34377?

A logic error in the transaction verification cache of Zebra, a Zcash node implemented in Rust, allows malicious miners to provoke a consensus split. This vulnerability permits a miner to match a valid transaction's transaction ID while supplying invalid authorization data. As a result, vulnerable Zebra nodes may accept an invalid block, separating them from the valid Zcash network. Importantly, while this does not enable the acceptance of invalid transactions, it can result in a significant consensus split between the vulnerable Zebra nodes and unaffected Zebra and Zcashd nodes. This issue has been resolved in zebrad version 4.3.0 and zebra-consensus version 5.0.1.

Affected Version(s)

zebra < 4.3.0

zebra-consensus < 5.0.1

References

https://github.com/ZcashFoundation/zebra/security/advisor...
x_refsource_CONFIRM
https://github.com/ZcashFoundation/zebra/releases/tag/v4.3.0
x_refsource_MISC
https://zfnd.org/zebra-4-3-0-critical-security-fixes-zip-...
x_refsource_MISC

CVSS V4

Score:
8.4
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.