CVE-2026-44497
Analyzed Analyzed - Analysis Complete
Consensus Split Due to Invalid Sighash Type in ZEBRA

Publication date: 2026-05-08

Last updated on: 2026-05-08

Assigner: GitHub, Inc.

Description
ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.4.0 and prior to zebra-script version 6.0.0, the fix for CVE-2026-41583 introduced a separate issue due to insufficient error handling of the case where the sighash type is invalid, during sighash computation. Instead of returning an error, the normal flow would resume, and the input sighash buffer would be left untouched. In scenarios where a previous signature validation could leave a valid sighash in the buffer, an invalid hash-type could be incorrectly accepted, which would create a consensus split between Zebra and zcashd nodes. This issue has been patched in zebrad version 4.4.0 and zebra-script version 6.0.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-08
Generated
2026-05-09
AI Q&A
2026-05-08
EPSS Evaluated
N/A
NVD
CVE-2026-44497
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
zfnd zebrad to 4.4.0 (exc)
zfnd zebra-script to 6.0.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-347 The product does not verify, or incorrectly verifies, the cryptographic signature for data.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in ZEBRA, a Zcash node written in Rust, specifically in versions prior to zebrad 4.4.0 and zebra-script 6.0.0. It stems from insufficient error handling when the sighash type is invalid during sighash computation. Instead of returning an error, the process continued normally, leaving the input sighash buffer unchanged. If a previous signature validation left a valid sighash in the buffer, this flaw could cause an invalid hash-type to be accepted incorrectly.

This acceptance of invalid sighash types can lead to a consensus split between Zebra nodes and zcashd nodes, meaning different nodes might disagree on the blockchain state.


How can this vulnerability impact me? :

The vulnerability can cause a consensus split between Zebra nodes and zcashd nodes. This means that the blockchain state could diverge between different implementations, potentially leading to network instability, transaction validation issues, and loss of trust in the network's integrity.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, you should upgrade zebrad to version 4.4.0 or later and zebra-script to version 6.0.0 or later, as these versions contain the patch that fixes the issue.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability affects zebrad versions prior to 4.4.0 and zebra-script versions prior to 6.0.0. Detection involves verifying the version of the installed zebrad or zebra-script software to ensure it includes the patch for CVE-2026-44497.

To detect if your system is vulnerable, you can check the version of zebrad or zebra-script running on your system.

  • For zebrad, run: zebrad --version
  • For zebra-script, run: zebra-script --version

If the version is older than 4.4.0 for zebrad or older than 6.0.0 for zebra-script, your system is vulnerable.

There are no specific network detection commands or signatures provided for this vulnerability, as it is related to internal error handling during sighash computation in the software.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart