CVE-2026-34377
HIGHZebra V5 Transaction Verification - Consensus Split
Title source: manualDescription
ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.3.0 and zebra-consensus version 5.0.1, a logic error in Zebra's transaction verification cache could allow a malicious miner to induce a consensus split. By matching a valid transaction's txid while providing invalid authorization data, a miner could cause vulnerable Zebra nodes to accept an invalid block, leading to a consensus split from the rest of the Zcash network. This would not allow invalid transactions to be accepted but could result in a consensus split between vulnerable Zebra nodes and invulnerable Zebra and Zcashd nodes. This issue has been patched in zebrad version 4.3.0 and zebra-consensus version 5.0.1.
References (3)
Core 3
Core References
X_Refsource_Misc x_refsource_misc
https://github.com/ZcashFoundation/zebra/releases/tag/v4.3.0
X_Refsource_Confirm x_refsource_confirm
https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-3vmh-33xr-9cqh
X_Refsource_Misc x_refsource_misc
https://zfnd.org/zebra-4-3-0-critical-security-fixes-zip-235-support-and-performance-improvements
Scores
CVSS v3
8.1
EPSS
0.0026
EPSS Percentile
16.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-347
Status
published
Products (6)
crates.io/zebra-consensus
0 - 5.0.1crates.io
crates.io/zebrad
0 - 4.3.0crates.io
ZcashFoundation/zebra
< 4.3.0
ZcashFoundation/zebra-consensus
< 5.0.1
zfnd/zebra
< 4.3.0
zfnd/zebra-consensus
< 5.0.1
Published
Mar 31, 2026
Tracked Since
Mar 31, 2026