Skip to main content

Zcashd CVE-2026-35679

| EUVDEUVD-2026-19126 LOW
Improperly Implemented Security Check for Standard (CWE-358)
2026-04-05 mitre
3.5
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
3.5 LOW
AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
6.12.0
EUVD ID Assigned
Apr 05, 2026 - 21:30 euvd
EUVD-2026-19126
Analysis Generated
Apr 05, 2026 - 21:30 vuln.today
CVE Published
Apr 05, 2026 - 21:26 nvd
LOW 3.5

DescriptionCVE.org

Zcash zcashd before 6.12.0 allows invalid transactions to be accepted under certain conditions, which potentially could have resulted in the draining of user funds from the Sprout pool. It was sometimes not verifying Sprout proofs.

AnalysisAI

Zcash zcashd before version 6.12.0 fails to properly verify Sprout zero-knowledge proofs under certain conditions, allowing authenticated attackers to submit invalid transactions that could drain funds from the Sprout shielded pool. The vulnerability requires authenticated access and complex conditions to exploit, resulting in a low CVSS score of 3.5 despite the potential financial impact. No public exploit code or active exploitation has been confirmed.

Technical ContextAI

Zcash zcashd is the reference implementation of the Zcash blockchain protocol. The Sprout shielded pool is an earlier privacy mechanism that uses zero-knowledge proofs (zk-SNARKs) to enable transactions without revealing sender, receiver, or amount. The vulnerability stems from incomplete or conditional validation of these cryptographic Sprout proofs during transaction acceptance, classified under CWE-358 (Improperly Restricted Operations on Dynamically Allocated Memory). This represents a gap in the consensus-critical proof verification logic that guards the integrity of shielded transactions.

RemediationAI

Upgrade zcashd to version 6.12.0 or later, which includes the corrected Sprout proof verification logic. The fix is available via the official Zcash release at https://github.com/zcash/zcash/releases/tag/v6.12.0 and is backed by the upstream commit db969c63f48f0f9fc518112ed0b7ace1af78b9d0. Node operators should prioritize this upgrade to restore full validation of Sprout transactions.

Share

CVE-2026-35679 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy