Signature Operation Undercounting in Zebra Zcash Node by Zcash Foundation
CVE-2026-44498
9.2CRITICAL
What is CVE-2026-44498?
The Zebra Zcash node, developed by the Zcash Foundation, exhibited a vulnerability where the block validator inaccurately counted transparent signature operations, thereby ignoring the established limit of 20,000 signature operations per block. This flaw permitted the acceptance of blocks that would typically be rejected by the standard zcashd implementation, leading to the potential for miners to create and propagate blocks that could fork the network. Consequently, Zebra nodes might follow an erroneous chain diverging from the legitimate zcashd nodes. This issue has been rectified in version 4.4.0.
Affected Version(s)
zebra < 4.4.0
