CVE-2026-34202
Denial of Service via Transaction Processing Panic in Zebra Node
Publication date: 2026-03-31
Last updated on: 2026-04-07
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| zfnd | zebra | to 4.3.0 (exc) |
| zfnd | zebra-chain | to 6.0.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1336 | The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-34202 is a critical remote Denial of Service (DoS) vulnerability in Zebra, a Rust-based Zcash node implementation. The vulnerability exists in the transaction processing logic prior to Zebra version 4.3.0. It allows a remote, unauthenticated attacker to send a specially crafted V5 transaction that passes initial deserialization but fails during transaction ID (TxID) calculation. This failure triggers an uncaught panic, causing the Zebra node to crash.
The root cause is that Zebra lazily validates certain transaction fields that are eagerly validated in the underlying parsing library, leading to malformed transactions being accepted initially but failing later during TxID computation.
This vulnerability can be exploited remotely via the node’s public P2P port or the sendrawtransaction RPC method without any authentication or user interaction.
How can this vulnerability impact me? :
This vulnerability can cause a Zebra node to immediately crash upon receiving a specially crafted transaction, resulting in a Denial of Service (DoS).
The impact is primarily on availability, as the node becomes unavailable due to the crash. There is no impact on confidentiality or integrity.
An attacker can exploit this remotely without any privileges or user interaction, making it easy to disrupt the operation of affected Zebra nodes.
Mitigation involves upgrading to Zebra version 4.3.0 or later, or restricting access to the RPC interface and limiting the P2P port to trusted peers to prevent exploitation.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for crashes or panics in Zebra nodes when processing V5 transactions. Since the vulnerability is triggered by specially crafted V5 transactions sent to the node's public P2P port (default 8233) or via the sendrawtransaction RPC method, observing unexpected node crashes or panics during transaction processing is an indicator.
To detect attempts to exploit this vulnerability on your network, you can monitor network traffic on port 8233 for unusual or malformed transaction messages.
Suggested commands include:
- Use network monitoring tools like tcpdump or Wireshark to capture traffic on port 8233: tcpdump -i <interface> port 8233
- Check Zebra node logs for panic or crash messages related to transaction processing failures.
- If using the RPC interface, monitor for suspicious sendrawtransaction calls that might include malformed V5 transactions.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade Zebra to version 4.3.0 or later, where the vulnerability has been fixed by rejecting problematic transactions during initial deserialization and handling errors gracefully.
If an immediate upgrade is not possible, you should:
- Restrict access to the RPC interface to trusted users only.
- Close or limit access to the P2P port (default 8233) to trusted peers to prevent remote exploitation.
Note that restricting the P2P port may affect network synchronization.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability causes a remote Denial of Service (DoS) by crashing Zebra nodes, impacting availability but does not affect confidentiality or integrity of data.
Since the vulnerability does not lead to unauthorized data access or data leakage, it does not directly impact compliance with data protection regulations such as GDPR or HIPAA, which primarily focus on confidentiality and integrity of personal or health data.
However, the availability impact caused by the DoS could indirectly affect compliance if the affected systems are critical for maintaining required service levels or data availability under these regulations.