CVE-2026-41583
Analyzed Analyzed - Analysis Complete
Consensus Rule Bypass in Zebra Node

Publication date: 2026-05-08

Last updated on: 2026-05-08

Assigner: GitHub, Inc.

Description
ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.3.1 and prior to zebra-script version 5.0.2, after a refactoring, Zebra failed to validate a consensus rule that restricted the possible values of sighash hash types for V5 transactions which were enabled in the NU5 network upgrade. Zebra nodes could thus accept and eventually mine a block that would be considered invalid by zcashd nodes, creating a consensus split between Zebra and zcashd nodes. In a similar vein, for V4 transactions, Zebra mistakenly used the "canonical" hash type when computing the sighash while zcashd (correctly per the spec) uses the raw value, which could also crate a consensus split. This issue has been patched in zebrad version 4.3.1 and zebra-script version 5.0.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-08
Generated
2026-05-09
AI Q&A
2026-05-08
EPSS Evaluated
N/A
NVD
CVE-2026-41583
EUVD
EUVD-2026-28653
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
zfnd zebrad to 4.3.1 (exc)
zfnd zebra-script to 5.0.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-573 The product does not follow or incorrectly follows the specifications as required by the implementation language, environment, framework, protocol, or platform.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-41583 is a critical vulnerability in Zebra, a Zcash node implementation written in Rust. The issue arises from Zebra failing to enforce a consensus rule that restricts the allowed sighash hash types for V5 transactions after a code refactoring. This failure allows Zebra nodes to accept and mine blocks that are invalid according to the official zcashd nodes, causing a consensus split between Zebra and zcashd.

Additionally, for V4 transactions, Zebra incorrectly used the "canonical" hash type instead of the raw value when computing the sighash, which also risks causing consensus divergence.

This vulnerability was fixed in zebrad version 4.3.1 and zebra-script version 5.0.2.


How can this vulnerability impact me? :

This vulnerability can lead to a consensus split between Zebra nodes and zcashd nodes, which can cause network partitioning and service disruption.

Malicious actors could exploit this flaw to induce double-spend attacks by causing the network to disagree on the validity of certain transactions.

Because the flaw affects the core consensus mechanism, it poses a high severity risk with a CVSS score of 9.3, indicating potential for widespread network impact.

Users of Zebra nodes are strongly advised to upgrade to the fixed versions immediately, as no workarounds exist.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

There are no specific detection commands or methods provided to identify this vulnerability on your network or system.

The vulnerability relates to Zebra node versions prior to 4.3.1 and zebra-script versions prior to 5.0.2 failing to validate consensus rules correctly, which could cause consensus splits.

Detection would primarily involve verifying the version of Zebra or zebra-script software running on your nodes.


What immediate steps should I take to mitigate this vulnerability?

The immediate and recommended mitigation step is to upgrade Zebra nodes to version 4.3.1 or later and zebra-script to version 5.0.2 or later.

No workarounds exist for this vulnerability, so upgrading is critical to prevent consensus splits and potential network disruption.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart