Which versions of Zebra are affected by CVE-2026-34202?

CVE-2026-34202 is a critical denial-of-service vulnerability in Zebra cryptocurrency nodes below version 4.3.0 that allows remote attackers to crash infrastructure by sending a single malformed…. A patch is available.

How to fix or mitigate CVE-2026-34202?

Within 24 hours: inventory all Zebra node deployments and identify instances running versions below 4.3.0; document current version numbers and isolation levels. Within 7 days: upgrade all affected Zebra instances to version 4.3.0 or later; conduct staged testing in non-production environments first to validate compatibility. Within 30 days: implement network segmentation to restrict P2P port 8233 access to trusted peers only; disable or restrict the sendrawtransaction RPC method to authenticated internal callers only; establish monitoring for transaction deserialization errors.

Zebra CVE-2026-34202

Q: What is the CVSS score of CVE-2026-34202?

CVE-2026-34202 has a CVSS 4.0 base score of 9.2 (Critical). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.2%.

CRITICAL

Code Injection (CWE-94)

2026-03-27 https://github.com/ZcashFoundation/zebra

GHSA-qp6f-w4r3-h8wg

Denial Of Service Deserialization Code Injection RCE

9.2

CVSS 4.0 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

9.2 CRITICAL

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Patch released

Mar 31, 2026 - 21:13 nvd

Patch available

Analysis Generated

Mar 27, 2026 - 22:46 vuln.today

CVE Published

Mar 27, 2026 - 22:19 nvd

CRITICAL 9.2

DescriptionGitHub Advisory

---

Remote Denial of Service via Crafted V5 Transactions

Summary

A vulnerability in Zebra's transaction processing logic allows a remote, unauthenticated attacker to cause a Zebra node to panic (crash). This is triggered by sending a specially crafted V5 transaction that passes initial deserialization but fails during transaction ID calculation.

Severity

Critical - This is a Remote Denial of Service (DoS) that requires no authentication and can be triggered by a single network message.

Affected Versions

All Zebra versions supporting V5 transactions (Network Upgrade 5 and later) prior to version 4.3.0.

Description

The vulnerability stems from Zebra lazily validating transaction fields that are eagerly validated in the librustzcash parsing logic used when Zebra computes transaction ids and auth digests for V5 transactions where Zebra panics if those computations fail.

PushTransaction messages with malformed V5 transactions are successfully deserialized as the zebra-chain Transaction type by the network codec, but when Zebra converts those transactions into internal types to compute the TxID expecting it to succeed, it triggers a panic/crash.

An attacker can trigger this crash by sending a single crafted tx message to a Zebra node's public P2P port. The same issue can be triggered via the sendrawtransaction RPC method.

Impact

Remote Denial of Service

Attack Vector: Remote, unauthenticated.
Effect: Immediate crash of the Zebra node.
Scope: Any node with an open P2P port (default 8233) or exposed RPC interface is vulnerable.

Fixed Versions

This issue is fixed in Zebra 4.3.0.

The fix ensures that any transaction that would fail TxID calculation is rejected during the initial deserialization phase, and replaces internal panics with graceful error handling.

Mitigation

Users should upgrade to Zebra 4.3.0 or later immediately.

If an immediate upgrade is not possible, users should ensure their RPC port is not exposed to the Internet. However, the P2P port must remain closed or restricted to trusted peers to fully mitigate the risk, which may impact the node's ability to sync with the network.

Credits

Zebra thanks robustfengbin, who discovered this issue and reported it via coordinated disclosure process.

---

AnalysisAI

Remote attackers can crash Zebra cryptocurrency nodes (versions <4.3.0) by sending malformed V5 transactions that pass initial deserialization but trigger panics during transaction ID calculation. The vulnerability requires no authentication and can be exploited via a single crafted network message to the P2P port (8233) or through the sendrawtransaction RPC method. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Attacker crafts malformed V5 transaction

Delivery

Sends transaction to Zebra node via network

Exploit

Transaction passes initial deserialization

Execution

Transaction ID calculation fails

Impact

Node panics and crashes

Access

Attacker crafts malformed V5 transaction

Delivery

Sends transaction to Zebra node via network

Exploit

Transaction passes initial deserialization

Execution

Transaction ID calculation fails

Impact

Node panics and crashes

Vulnerability AssessmentAI

Exploitation	Remote unauthenticated attacker sends a specially crafted V5 transaction to any Zebra node supporting Network Upgrade 5 or later. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	This vulnerability presents a genuine operational risk for Zebra node operators despite the absence of CVSS scoring. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker identifies a Zebra node running a vulnerable version by connecting to the P2P network or scanning for nodes listening on port 8233. The attacker crafts a V5 transaction with fields that satisfy basic deserialization requirements but contain malformed data in fields used for transaction ID calculation, such as invalid transparent inputs/outputs or malformed shielded spend/output descriptions. …
Remediation	Upgrade immediately to Zebra version 4.3.0 or later, which implements comprehensive fixes including enhanced validation during transaction deserialization to reject malformed V5 transactions before txid calculation and replacement of internal panic conditions with graceful error handling. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: inventory all Zebra node deployments and identify instances running versions below 4.3.0; document current version numbers and isolation levels. …

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-34202 vulnerability details – vuln.today

Back

Zebra CVE-2026-34202

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

Remote Denial of Service via Crafted V5 Transactions

Summary

Severity

Affected Versions

Description

Impact

Fixed Versions

Mitigation

Credits

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code