Insufficient Error Handling in Zebra Node Software from Zcash Foundation
CVE-2026-44497

9.3CRITICAL

Key Information:

Status
Vendor
CVE Published:
8 May 2026

What is CVE-2026-44497?

The ZEBRA node software, crucial for operating Zcash, contains an error handling flaw prior to specified versions. An invalid sighash type during computation was not correctly managed, allowing for the continuation of the process without appropriate error signaling. As a result, this could lead to scenarios where an invalid sighash may be accepted, creating potential consensus discrepancies between ZEBRA and zcashd nodes. Users are urged to update to zebrad version 4.4.0 and zebra-script version 6.0.0 to mitigate this issue.

Affected Version(s)

zebra zebra-script < 6.0.0 < zebra-script 6.0.0

zebra zebrad < 4.4.0 < zebrad 4.4.0

References

CVSS V4

Score:
9.3
Severity:
CRITICAL
Confidentiality:
None
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.