CVE-2026-41584
Denial of Service in ZEBRA Node via Orchard Transaction
Publication date: 2026-05-08
Last updated on: 2026-05-08
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| zfnd | zebrad | to 4.3.1 (exc) |
| zfnd | zebra-chain | to 6.0.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-617 | The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-41584 is a critical Denial of Service vulnerability in the Zcash Zebra node software. It involves the "rk" field in Orchard transactions, which is an elliptic curve point that can legally be set to an identity (zero) value according to the Zcash specification.
However, the orchard crate used to verify these transactions would panic when it encounters an identity rk value, causing the Zebra node to crash when processing a maliciously crafted transaction containing this value.
The root cause is an unwrap() call on coordinate extraction in the orchard crate's circuits.rs file, which triggers a panic if rk is the identity.
This vulnerability affects all Zebra versions prior to 4.3.1 and was fixed by disallowing identity rk values during transaction parsing.
How can this vulnerability impact me? :
This vulnerability can cause a Zebra node to crash immediately upon processing a specially crafted transaction containing an identity rk value.
The primary impact is a loss of node availability, resulting in a Denial of Service (DoS) condition.
Attackers can exploit this remotely by submitting malicious transactions to vulnerable Zebra nodes, causing them to become unavailable.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability causes Zebra nodes to crash when processing a crafted Orchard transaction containing an identity rk field. Detection involves monitoring Zebra node stability and logs for crashes triggered by such transactions.
There are no specific commands or network detection signatures provided to identify this vulnerability directly on your system or network.
What immediate steps should I take to mitigate this vulnerability?
The immediate and recommended mitigation is to upgrade Zebra node software to version 4.3.1 or later, or zebra-chain version 6.0.2 or later, where the vulnerability has been patched.
There are no known workarounds to mitigate this issue without upgrading.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability causes a critical Denial of Service by crashing Zebra nodes when processing crafted transactions, leading to loss of node availability.
However, there is no information provided about any impact on data confidentiality, integrity, or privacy that would directly affect compliance with standards such as GDPR or HIPAA.
Therefore, based on the available information, this vulnerability primarily affects system availability but does not explicitly affect compliance with common data protection regulations.