CVE-2026-34202
HIGHZebra node crash — V5 transaction hash panic (P2P reachable)
Title source: cnaDescription
ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.3.0 and zebra-chain version 6.0.1, a vulnerability in Zebra's transaction processing logic allows a remote, unauthenticated attacker to cause a Zebra node to panic (crash). This is triggered by sending a specially crafted V5 transaction that passes initial deserialization but fails during transaction ID calculation. This issue has been patched in zebrad version 4.3.0 and zebra-chain version 6.0.1.
References (3)
Core 3
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-qp6f-w4r3-h8wg
X_Refsource_Misc x_refsource_misc
https://github.com/ZcashFoundation/zebra/releases/tag/v4.3.0
X_Refsource_Misc x_refsource_misc
https://zfnd.org/zebra-4-3-0-critical-security-fixes-zip-235-support-and-performance-improvements
Scores
CVSS v3
7.5
EPSS
0.0073
EPSS Percentile
49.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-1336
CWE-502
CWE-94
Status
published
Products (6)
crates.io/zebra-chain
0 - 6.0.1crates.io
crates.io/zebrad
0 - 4.3.0crates.io
ZcashFoundation/zebra
< 4.3.0
ZcashFoundation/zebra-chain
< 6.0.1
zfnd/zebra
< 4.3.0
zfnd/zebra-chain
< 6.0.1
Published
Mar 31, 2026
Tracked Since
Mar 31, 2026