Logic Error in Zcash Node's Transaction Verification Cache Affects Zebra by Zcash Foundation
CVE-2026-40880

7.2HIGH

Key Information:

Vendor: Zcashfoundation
Status: Zebrad; Zebra-consensus
Vendor: CVE Published:; 21 April 2026

🔔 Create Zcashfoundation Vulnerability Alert

What is CVE-2026-40880?

A logic error in Zebra's transaction verification cache may permit malicious miners to cause a consensus split within the Zcash network. By submitting a valid transaction for height H+1 but invalid for H+2, attackers could make vulnerable Zebra nodes accept an invalid block, disrupting network consensus. This risk has been addressed in zebrad version 4.3.1 and zebra-consensus version 5.0.2.

Affected Version(s)

zebra-consensus < 5.0.2

zebrad < 4.3.1

References

https://github.com/ZcashFoundation/zebra/security/advisor...

x_refsource_CONFIRM

CVSS V4

Score:

7.2

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 21, 2026
Vulnerability Reserved
Apr 15, 2026

CVE-2026-40880 Data

JSON