CVE-2026-34202
Received Received - Intake
Denial of Service via Transaction Processing Panic in Zebra Node

Publication date: 2026-03-31

Last updated on: 2026-04-07

Assigner: GitHub, Inc.

Description
ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.3.0 and zebra-chain version 6.0.1, a vulnerability in Zebra's transaction processing logic allows a remote, unauthenticated attacker to cause a Zebra node to panic (crash). This is triggered by sending a specially crafted V5 transaction that passes initial deserialization but fails during transaction ID calculation. This issue has been patched in zebrad version 4.3.0 and zebra-chain version 6.0.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-31
Last Modified
2026-04-07
Generated
2026-06-16
AI Q&A
2026-03-31
EPSS Evaluated
2026-06-15
NVD
CVE-2026-34202
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
zfnd zebra to 4.3.0 (exc)
zfnd zebra-chain to 6.0.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CWE-1336 The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine.
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-34202 is a critical remote Denial of Service (DoS) vulnerability in Zebra, a Rust-based Zcash node implementation. The vulnerability exists in the transaction processing logic prior to Zebra version 4.3.0. It allows a remote, unauthenticated attacker to send a specially crafted V5 transaction that passes initial deserialization but fails during transaction ID (TxID) calculation. This failure triggers an uncaught panic, causing the Zebra node to crash.

The root cause is that Zebra lazily validates certain transaction fields that are eagerly validated in the underlying parsing library, leading to malformed transactions being accepted initially but failing later during TxID computation.

This vulnerability can be exploited remotely via the node’s public P2P port or the sendrawtransaction RPC method without any authentication or user interaction.

Impact Analysis

This vulnerability can cause a Zebra node to immediately crash upon receiving a specially crafted transaction, resulting in a Denial of Service (DoS).

The impact is primarily on availability, as the node becomes unavailable due to the crash. There is no impact on confidentiality or integrity.

An attacker can exploit this remotely without any privileges or user interaction, making it easy to disrupt the operation of affected Zebra nodes.

Mitigation involves upgrading to Zebra version 4.3.0 or later, or restricting access to the RPC interface and limiting the P2P port to trusted peers to prevent exploitation.

Detection Guidance

This vulnerability can be detected by monitoring for crashes or panics in Zebra nodes when processing V5 transactions. Since the vulnerability is triggered by specially crafted V5 transactions sent to the node's public P2P port (default 8233) or via the sendrawtransaction RPC method, observing unexpected node crashes or panics during transaction processing is an indicator.

To detect attempts to exploit this vulnerability on your network, you can monitor network traffic on port 8233 for unusual or malformed transaction messages.

Suggested commands include:

  • Use network monitoring tools like tcpdump or Wireshark to capture traffic on port 8233: tcpdump -i <interface> port 8233
  • Check Zebra node logs for panic or crash messages related to transaction processing failures.
  • If using the RPC interface, monitor for suspicious sendrawtransaction calls that might include malformed V5 transactions.
Mitigation Strategies

The primary mitigation is to upgrade Zebra to version 4.3.0 or later, where the vulnerability has been fixed by rejecting problematic transactions during initial deserialization and handling errors gracefully.

If an immediate upgrade is not possible, you should:

  • Restrict access to the RPC interface to trusted users only.
  • Close or limit access to the P2P port (default 8233) to trusted peers to prevent remote exploitation.

Note that restricting the P2P port may affect network synchronization.

Compliance Impact

This vulnerability causes a remote Denial of Service (DoS) by crashing Zebra nodes, impacting availability but does not affect confidentiality or integrity of data.

Since the vulnerability does not lead to unauthorized data access or data leakage, it does not directly impact compliance with data protection regulations such as GDPR or HIPAA, which primarily focus on confidentiality and integrity of personal or health data.

However, the availability impact caused by the DoS could indirectly affect compliance if the affected systems are critical for maintaining required service levels or data availability under these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34202. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart