Consensus Vulnerability in Zcash Node by Zcash Foundation
CVE-2026-41583
What is CVE-2026-41583?
The Zebra node, utilized within the Zcash ecosystem for decentralized transaction validation, has encountered vulnerabilities associated with V5 and V4 transaction types. Specifically, prior to zebrad version 4.3.1 and zebra-script version 5.0.2, it failed to rigorously validate the allowed values of sighash hash types for V5 transactions introduced with the NU5 network upgrade. This could potentially permit Zebra nodes to erroneously accept and mine blocks deemed invalid by zcashd nodes, leading to significant consensus issues between various nodes. In addition, for V4 transactions, the mishandling of hash types during computation could result in further discrepancies. This critical flaw was addressed in subsequent releases to ensure uniformity and compliance with consensus rules.
Affected Version(s)
zebra zebrad < 4.3.1 < zebrad 4.3.1
zebra zebra-script < 5.0.2 < zebra-script 5.0.2
