CVE-2026-41583
Analyzed Analyzed - Analysis Complete
Consensus Rule Bypass in Zebra Node

Publication date: 2026-05-08

Last updated on: 2026-05-08

Assigner: GitHub, Inc.

Description
ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.3.1 and prior to zebra-script version 5.0.2, after a refactoring, Zebra failed to validate a consensus rule that restricted the possible values of sighash hash types for V5 transactions which were enabled in the NU5 network upgrade. Zebra nodes could thus accept and eventually mine a block that would be considered invalid by zcashd nodes, creating a consensus split between Zebra and zcashd nodes. In a similar vein, for V4 transactions, Zebra mistakenly used the "canonical" hash type when computing the sighash while zcashd (correctly per the spec) uses the raw value, which could also crate a consensus split. This issue has been patched in zebrad version 4.3.1 and zebra-script version 5.0.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-08
Generated
2026-06-19
AI Q&A
2026-05-08
EPSS Evaluated
2026-06-18
NVD
CVE-2026-41583
EUVD
EUVD-2026-28653
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
zfnd zebrad to 4.3.1 (exc)
zfnd zebra-script to 5.0.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-573 The product does not follow or incorrectly follows the specifications as required by the implementation language, environment, framework, protocol, or platform.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-41583 is a critical vulnerability in Zebra, a Zcash node implementation written in Rust. The issue arises from Zebra failing to enforce a consensus rule that restricts the allowed sighash hash types for V5 transactions after a code refactoring. This failure allows Zebra nodes to accept and mine blocks that are invalid according to the official zcashd nodes, causing a consensus split between Zebra and zcashd.

Additionally, for V4 transactions, Zebra incorrectly used the "canonical" hash type instead of the raw value when computing the sighash, which also risks causing consensus divergence.

This vulnerability was fixed in zebrad version 4.3.1 and zebra-script version 5.0.2.

Impact Analysis

This vulnerability can lead to a consensus split between Zebra nodes and zcashd nodes, which can cause network partitioning and service disruption.

Malicious actors could exploit this flaw to induce double-spend attacks by causing the network to disagree on the validity of certain transactions.

Because the flaw affects the core consensus mechanism, it poses a high severity risk with a CVSS score of 9.3, indicating potential for widespread network impact.

Users of Zebra nodes are strongly advised to upgrade to the fixed versions immediately, as no workarounds exist.

Detection Guidance

There are no specific detection commands or methods provided to identify this vulnerability on your network or system.

The vulnerability relates to Zebra node versions prior to 4.3.1 and zebra-script versions prior to 5.0.2 failing to validate consensus rules correctly, which could cause consensus splits.

Detection would primarily involve verifying the version of Zebra or zebra-script software running on your nodes.

Mitigation Strategies

The immediate and recommended mitigation step is to upgrade Zebra nodes to version 4.3.1 or later and zebra-script to version 5.0.2 or later.

No workarounds exist for this vulnerability, so upgrading is critical to prevent consensus splits and potential network disruption.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41583. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart