CVE-2026-40880
Received Received - Intake
Consensus Split Vulnerability in Zebra Transaction Verification Cache

Publication date: 2026-04-21

Last updated on: 2026-04-27

Assigner: GitHub, Inc.

Description
ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.3.1 and zebra-consensus version 5.0.2, a logic error in Zebra's transaction verification cache could allow a malicious miner to induce a consensus split. By carefully submitting a transaction that is valid for height H+1 but invalid for H+2 and then mining that transaction in a block at height H+2, a miner could cause vulnerable Zebra nodes to accept an invalid block, leading to a consensus split from the rest of the Zcash network. This vulnerability is fixed in zebrad version 4.3.1 and zebra-consensus version 5.0.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-21
Last Modified
2026-04-27
Generated
2026-06-16
AI Q&A
2026-04-22
EPSS Evaluated
2026-06-15
NVD
CVE-2026-40880
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
zfnd zebra-consensus to 5.0.2 (exc)
zfnd zebrad to 4.3.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1025 The code performs a comparison between two entities, but the comparison examines the wrong factors or characteristics of the entities, which can lead to incorrect results and resultant weaknesses.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability primarily impacts the integrity and availability of Zebra nodes and the Zcash network by causing consensus splits, network partitioning, and potential double-spend attacks. It does not affect confidentiality.

Since the vulnerability does not impact confidentiality or expose personal or sensitive data, it does not directly affect compliance with data protection standards and regulations such as GDPR or HIPAA, which focus heavily on protecting personal data privacy and security.

However, the disruption of service and integrity issues could indirectly affect operational compliance aspects related to availability and integrity of systems, depending on the specific regulatory requirements applicable to the deployment environment.

Detection Guidance

There is no specific detection method or commands provided in the available information to identify this vulnerability on your network or system.

The vulnerability arises from a logic error in Zebra's transaction verification cache affecting versions prior to zebrad 4.3.1 and zebra-consensus 5.0.2. The recommended action is to upgrade to these fixed versions or later.

Executive Summary

CVE-2026-40880 is a high-severity consensus vulnerability in Zebra, a Zcash node implementation written in Rust, affecting versions prior to 4.3.1 and zebra-consensus versions before 5.0.2.

The vulnerability arises from a logic error in Zebra's transaction verification cache, which was intended to optimize performance by skipping re-verification of transactions already accepted into the mempool.

This cache failed to consider that transaction validity depends on blockchain height due to factors like expiry height, lock time, and network upgrades.

A malicious miner can exploit this by submitting a transaction valid at height H+1 but invalid at height H+2, then mining blocks containing this transaction at these heights in a way that causes vulnerable Zebra nodes to accept an invalid block.

This leads to a consensus split where vulnerable Zebra nodes accept blocks rejected by other nodes, causing network partition and consensus failure.

Impact Analysis

This vulnerability can cause network partitioning and service disruption by inducing a consensus split between Zebra nodes and the rest of the Zcash network.

It can lead to acceptance of invalid blocks by vulnerable nodes, which may result in double-spend attacks due to consensus failure.

The integrity and availability of affected nodes and subsequent systems are impacted, although confidentiality is not affected.

Mitigation Strategies

The vulnerability can be mitigated by upgrading Zebra to version 4.3.1 or later and zebra-consensus to version 5.0.2 or later.

No workarounds exist, so immediate upgrade is strongly advised to prevent consensus splits and potential network partitioning.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40880. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart