CVE-2026-44498
HIGHZEBRA: Block Validator Undercounts Coinbase and P2SH Sigops
Title source: cnaDescription
ZEBRA is a Zcash node written entirely in Rust. Prior to version 4.4.0, Zebra's block validator undercounts transparent signature operations against the 20000-sigop block limit (MAX_BLOCK_SIGOPS), allowing it to accept blocks that zcashd rejects with bad-blk-sigops. A miner who produces such a block can split the network: Zebra nodes follow the offending chain while zcashd nodes do not. This issue has been patched in version 4.4.0.
References (2)
Core 2
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-jv4h-j224-23cc
X_Refsource_Misc x_refsource_misc
https://github.com/ZcashFoundation/zebra/releases/tag/v4.4.0
Scores
CVSS v3
7.5
EPSS
0.0028
EPSS Percentile
19.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-682
Status
published
Products (3)
crates.io/zebrad
0 - 4.4.0crates.io
ZcashFoundation/zebra
< 4.4.0
zfnd/zebrad
< 4.4.0
Published
May 08, 2026
Tracked Since
May 08, 2026