CVE-2026-34377
Logic Error in Zebra Transaction Cache Causes Consensus Split
Publication date: 2026-03-31
Last updated on: 2026-04-06
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| zfnd | zebra-consensus | to 5.0.1 (exc) |
| zfnd | zebra | to 4.3.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-347 | The product does not verify, or incorrectly verifies, the cryptographic signature for data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-34377 is a high-severity vulnerability in Zebra, a Rust implementation of the Zcash protocol, affecting versions prior to 4.3.0. The flaw is a logic error in Zebra's transaction verification cache related to V5 transactions. Zebra uses a transaction ID (txid) that excludes authorization data to optimize verification. However, the cache incorrectly assumes a transaction is verified if the txid matches, skipping the critical authorization data check.
A malicious miner can exploit this by submitting a block containing a transaction with a valid txid but invalid authorization data. Vulnerable Zebra nodes accept this invalid block without re-verifying authorization, while other nodes reject it, causing a consensus split. This does not allow invalid transactions to be accepted but leads to network partitioning and divergence between Zebra nodes.
The issue was fixed in Zebra version 4.3.0 by ensuring verification is only skipped when the full transaction integrity, including authorization data, matches the mempool entry.
How can this vulnerability impact me? :
This vulnerability can cause a consensus split in the Zcash network by allowing vulnerable Zebra nodes to accept invalid blocks that other nodes reject. This leads to network partitioning and service disruption.
Such a consensus split can enable double-spend attacks and undermine the integrity and availability of the blockchain network for affected nodes.
However, invalid transactions themselves are not accepted; the main impact is the divergence of consensus between vulnerable Zebra nodes and the rest of the network.
Node operators running vulnerable Zebra versions are strongly advised to upgrade to version 4.3.0 immediately to prevent these impacts.
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to upgrade Zebra node software to version 4.3.0 or later, as this version contains the fix for CVE-2026-34377.
This update ensures that transaction verification properly validates authorization data for V5 transactions, preventing consensus splits caused by malicious miners.
There are no known workarounds other than upgrading, so node operators should apply this update as soon as possible to maintain consensus integrity and avoid network partitioning or service disruption.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided context and resources do not contain any information regarding the impact of CVE-2026-34377 on compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
There is no specific detection method or commands provided in the available information to identify this vulnerability on your network or system.
The recommended action is to verify the version of Zebra node software running on your system. Versions prior to zebrad 4.3.0 and zebra-consensus 5.0.1 are vulnerable.
To detect if your Zebra node is vulnerable, check the installed version by running a command similar to:
- zebrad --version
If the version is older than 4.3.0, your node is vulnerable and should be updated immediately.
No specific network or system commands to detect exploitation or presence of the vulnerability are documented.