Denial of Service Vulnerability in Zcash Node Software by Zcash Foundation
CVE-2026-41584

9.2CRITICAL

Key Information:

Status
Vendor
CVE Published:
8 May 2026

What is CVE-2026-41584?

Prior to specific versions, the ZEBRA node software is susceptible to Denial of Service due to a flaw in the handling of Orchard transactions. The rk field within these transactions can be manipulated to send an identity value, causing the software to crash. This creates a potential exploit for attackers, allowing crafted transactions to destabilize the node. The issue has been addressed in subsequent software updates.

Affected Version(s)

zebra zebra-chain < 6.0.2 < zebra-chain 6.0.2

zebra zebrad < 4.3.1 < zebrad 4.3.1

References

CVSS V4

Score:
9.2
Severity:
CRITICAL
Confidentiality:
None
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.