Insufficient Error Handling in Zebra Node Software from Zcash Foundation
CVE-2026-44497
9.3CRITICAL
What is CVE-2026-44497?
The ZEBRA node software, crucial for operating Zcash, contains an error handling flaw prior to specified versions. An invalid sighash type during computation was not correctly managed, allowing for the continuation of the process without appropriate error signaling. As a result, this could lead to scenarios where an invalid sighash may be accepted, creating potential consensus discrepancies between ZEBRA and zcashd nodes. Users are urged to update to zebrad version 4.4.0 and zebra-script version 6.0.0 to mitigate this issue.
Affected Version(s)
zebra zebra-script < 6.0.0 < zebra-script 6.0.0
zebra zebrad < 4.4.0 < zebrad 4.4.0
