CVE-2026-41584
Analyzed Analyzed - Analysis Complete
Denial of Service in ZEBRA Node via Orchard Transaction

Publication date: 2026-05-08

Last updated on: 2026-05-08

Assigner: GitHub, Inc.

Description
ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.3.1 and prior to zebra-chain version 6.0.2, Orchard transactions contain a rk field which is a randomized validating key and also an elliptic curve point. The Zcash specification allows the field to be the identity (a "zero" value), however, the orchard crate which is used to verify Orchard proofs would panic when fed a rk with the identity value. Thus an attacker could send a crafted transaction that would make a Zebra node crash. This issue has been patched in zebrad version 4.3.1 and zebra-chain version 6.0.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-08
Generated
2026-06-19
AI Q&A
2026-05-08
EPSS Evaluated
2026-06-18
NVD
CVE-2026-41584
EUVD
EUVD-2026-28654
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
zfnd zebrad to 4.3.1 (exc)
zfnd zebra-chain to 6.0.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-617 The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-41584 is a critical Denial of Service vulnerability in the Zcash Zebra node software. It involves the "rk" field in Orchard transactions, which is an elliptic curve point that can legally be set to an identity (zero) value according to the Zcash specification.

However, the orchard crate used to verify these transactions would panic when it encounters an identity rk value, causing the Zebra node to crash when processing a maliciously crafted transaction containing this value.

The root cause is an unwrap() call on coordinate extraction in the orchard crate's circuits.rs file, which triggers a panic if rk is the identity.

This vulnerability affects all Zebra versions prior to 4.3.1 and was fixed by disallowing identity rk values during transaction parsing.

Impact Analysis

This vulnerability can cause a Zebra node to crash immediately upon processing a specially crafted transaction containing an identity rk value.

The primary impact is a loss of node availability, resulting in a Denial of Service (DoS) condition.

Attackers can exploit this remotely by submitting malicious transactions to vulnerable Zebra nodes, causing them to become unavailable.

Detection Guidance

This vulnerability causes Zebra nodes to crash when processing a crafted Orchard transaction containing an identity rk field. Detection involves monitoring Zebra node stability and logs for crashes triggered by such transactions.

There are no specific commands or network detection signatures provided to identify this vulnerability directly on your system or network.

Mitigation Strategies

The immediate and recommended mitigation is to upgrade Zebra node software to version 4.3.1 or later, or zebra-chain version 6.0.2 or later, where the vulnerability has been patched.

There are no known workarounds to mitigate this issue without upgrading.

Compliance Impact

This vulnerability causes a critical Denial of Service by crashing Zebra nodes when processing crafted transactions, leading to loss of node availability.

However, there is no information provided about any impact on data confidentiality, integrity, or privacy that would directly affect compliance with standards such as GDPR or HIPAA.

Therefore, based on the available information, this vulnerability primarily affects system availability but does not explicitly affect compliance with common data protection regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41584. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart