Signature Operation Undercounting in Zebra Zcash Node by Zcash Foundation
CVE-2026-44498

9.2CRITICAL

Key Information:

Status
Vendor
CVE Published:
8 May 2026

What is CVE-2026-44498?

The Zebra Zcash node, developed by the Zcash Foundation, exhibited a vulnerability where the block validator inaccurately counted transparent signature operations, thereby ignoring the established limit of 20,000 signature operations per block. This flaw permitted the acceptance of blocks that would typically be rejected by the standard zcashd implementation, leading to the potential for miners to create and propagate blocks that could fork the network. Consequently, Zebra nodes might follow an erroneous chain diverging from the legitimate zcashd nodes. This issue has been rectified in version 4.4.0.

Affected Version(s)

zebra < 4.4.0

References

CVSS V4

Score:
9.2
Severity:
CRITICAL
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.