CVE-2026-40880
Consensus Split Vulnerability in Zebra Transaction Verification Cache
Publication date: 2026-04-21
Last updated on: 2026-04-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| zfnd | zebra-consensus | to 5.0.2 (exc) |
| zfnd | zebrad | to 4.3.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1025 | The code performs a comparison between two entities, but the comparison examines the wrong factors or characteristics of the entities, which can lead to incorrect results and resultant weaknesses. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability primarily impacts the integrity and availability of Zebra nodes and the Zcash network by causing consensus splits, network partitioning, and potential double-spend attacks. It does not affect confidentiality.
Since the vulnerability does not impact confidentiality or expose personal or sensitive data, it does not directly affect compliance with data protection standards and regulations such as GDPR or HIPAA, which focus heavily on protecting personal data privacy and security.
However, the disruption of service and integrity issues could indirectly affect operational compliance aspects related to availability and integrity of systems, depending on the specific regulatory requirements applicable to the deployment environment.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
There is no specific detection method or commands provided in the available information to identify this vulnerability on your network or system.
The vulnerability arises from a logic error in Zebra's transaction verification cache affecting versions prior to zebrad 4.3.1 and zebra-consensus 5.0.2. The recommended action is to upgrade to these fixed versions or later.
Can you explain this vulnerability to me?
CVE-2026-40880 is a high-severity consensus vulnerability in Zebra, a Zcash node implementation written in Rust, affecting versions prior to 4.3.1 and zebra-consensus versions before 5.0.2.
The vulnerability arises from a logic error in Zebra's transaction verification cache, which was intended to optimize performance by skipping re-verification of transactions already accepted into the mempool.
This cache failed to consider that transaction validity depends on blockchain height due to factors like expiry height, lock time, and network upgrades.
A malicious miner can exploit this by submitting a transaction valid at height H+1 but invalid at height H+2, then mining blocks containing this transaction at these heights in a way that causes vulnerable Zebra nodes to accept an invalid block.
This leads to a consensus split where vulnerable Zebra nodes accept blocks rejected by other nodes, causing network partition and consensus failure.
How can this vulnerability impact me? :
This vulnerability can cause network partitioning and service disruption by inducing a consensus split between Zebra nodes and the rest of the Zcash network.
It can lead to acceptance of invalid blocks by vulnerable nodes, which may result in double-spend attacks due to consensus failure.
The integrity and availability of affected nodes and subsequent systems are impacted, although confidentiality is not affected.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability can be mitigated by upgrading Zebra to version 4.3.1 or later and zebra-consensus to version 5.0.2 or later.
No workarounds exist, so immediate upgrade is strongly advised to prevent consensus splits and potential network partitioning.