CVE-2026-34377
Received Received - Intake
Logic Error in Zebra Transaction Cache Causes Consensus Split

Publication date: 2026-03-31

Last updated on: 2026-04-06

Assigner: GitHub, Inc.

Description
ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.3.0 and zebra-consensus version 5.0.1, a logic error in Zebra's transaction verification cache could allow a malicious miner to induce a consensus split. By matching a valid transaction's txid while providing invalid authorization data, a miner could cause vulnerable Zebra nodes to accept an invalid block, leading to a consensus split from the rest of the Zcash network. This would not allow invalid transactions to be accepted but could result in a consensus split between vulnerable Zebra nodes and invulnerable Zebra and Zcashd nodes. This issue has been patched in zebrad version 4.3.0 and zebra-consensus version 5.0.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-31
Last Modified
2026-04-06
Generated
2026-06-16
AI Q&A
2026-03-31
EPSS Evaluated
2026-06-15
NVD
CVE-2026-34377
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
zfnd zebra-consensus to 5.0.1 (exc)
zfnd zebra to 4.3.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-347 The product does not verify, or incorrectly verifies, the cryptographic signature for data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided context and resources do not contain any information regarding the impact of CVE-2026-34377 on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-34377 is a high-severity vulnerability in Zebra, a Rust implementation of the Zcash protocol, affecting versions prior to 4.3.0. The flaw is a logic error in Zebra's transaction verification cache related to V5 transactions. Zebra uses a transaction ID (txid) that excludes authorization data to optimize verification. However, the cache incorrectly assumes a transaction is verified if the txid matches, skipping the critical authorization data check.

A malicious miner can exploit this by submitting a block containing a transaction with a valid txid but invalid authorization data. Vulnerable Zebra nodes accept this invalid block without re-verifying authorization, while other nodes reject it, causing a consensus split. This does not allow invalid transactions to be accepted but leads to network partitioning and divergence between Zebra nodes.

The issue was fixed in Zebra version 4.3.0 by ensuring verification is only skipped when the full transaction integrity, including authorization data, matches the mempool entry.

Impact Analysis

This vulnerability can cause a consensus split in the Zcash network by allowing vulnerable Zebra nodes to accept invalid blocks that other nodes reject. This leads to network partitioning and service disruption.

Such a consensus split can enable double-spend attacks and undermine the integrity and availability of the blockchain network for affected nodes.

However, invalid transactions themselves are not accepted; the main impact is the divergence of consensus between vulnerable Zebra nodes and the rest of the network.

Node operators running vulnerable Zebra versions are strongly advised to upgrade to version 4.3.0 immediately to prevent these impacts.

Mitigation Strategies

The immediate step to mitigate this vulnerability is to upgrade Zebra node software to version 4.3.0 or later, as this version contains the fix for CVE-2026-34377.

This update ensures that transaction verification properly validates authorization data for V5 transactions, preventing consensus splits caused by malicious miners.

There are no known workarounds other than upgrading, so node operators should apply this update as soon as possible to maintain consensus integrity and avoid network partitioning or service disruption.

Detection Guidance

There is no specific detection method or commands provided in the available information to identify this vulnerability on your network or system.

The recommended action is to verify the version of Zebra node software running on your system. Versions prior to zebrad 4.3.0 and zebra-consensus 5.0.1 are vulnerable.

To detect if your Zebra node is vulnerable, check the installed version by running a command similar to:

  • zebrad --version

If the version is older than 4.3.0, your node is vulnerable and should be updated immediately.

No specific network or system commands to detect exploitation or presence of the vulnerability are documented.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34377. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart