CVE-2026-34202

HIGH

Zebra node crash — V5 transaction hash panic (P2P reachable)

Title source: cna

Description

ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.3.0 and zebra-chain version 6.0.1, a vulnerability in Zebra's transaction processing logic allows a remote, unauthenticated attacker to cause a Zebra node to panic (crash). This is triggered by sending a specially crafted V5 transaction that passes initial deserialization but fails during transaction ID calculation. This issue has been patched in zebrad version 4.3.0 and zebra-chain version 6.0.1.

References (3)

[X_Refsource_Confirm] https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-qp6f-w4r3-h8wg

[X_Refsource_Misc] https://github.com/ZcashFoundation/zebra/releases/tag/v4.3.0

[X_Refsource_Misc] https://zfnd.org/zebra-4-3-0-critical-security-fixes-zip-235-support-and-performance-improvements

Scores

CVSS v3 7.5

EPSS 0.0014

EPSS Percentile 33.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-1336 CWE-502 CWE-94

Status published

Products (6)

crates.io/zebra-chain 0 - 6.0.1crates.io

crates.io/zebrad 0 - 4.3.0crates.io

ZcashFoundation/zebra < 4.3.0

ZcashFoundation/zebra-chain < 6.0.1

zfnd/zebra < 4.3.0

zfnd/zebra-chain < 6.0.1

Published Mar 31, 2026

Tracked Since Mar 31, 2026