Zebra CVE-2026-44497
CRITICALSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionGitHub Advisory
CVE-2026-44497: Consensus Divergence in Transparent Sighash Hash-Type Handling due to Stale Buffer
Summary
The fix for https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-8m29-fpq5-89jj introduced a separate issue due to insuficient error handling of the case where the sighash type is invalid, during sighash computation. Instead of returning an error, the normal flow would resume, and the input sighash buffer would be left untouched. In scenarios where a previous signature validation could leave a valid sighash in the buffer, an invalid hash-type could be incorrectly accepted, which would create a consensus split between Zebra and zcashd nodes.
Severity
Critical - This is a Consensus Vulnerability that could allow a malicious party to induce network partitioning, service disruption, and potential double-spend attacks against affected nodes.
Note that the impact is currently alleviated by the fact that currently most miners run zcashd.
Affected Versions
Zebra 4.3.1.
Description
Verification of transparent transactions inherits the Bitcoin Script verification code in C++, called from Zebra through a foreign function interface (FFI) with a Rust callback that computes the sighash. The fix for https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-8m29-fpq5-89jj added the missing V5 hash-type consensus check on the Rust side, returning None for undefined hash types. However, the FFI bridge only writes to the C++ sighash buffer when the callback returns Some, and the C++ checker reads that buffer unconditionally, so the failure signal is lost.
An attacker could exploit this by:
- Constructing a transparent output spent by a script that runs a valid
OP_CHECKSIGVERIFYimmediately before anOP_CHECKSIGwith an undefined hash type. - The first opcode primes the C++ sighash buffer with a valid digest; the second causes Zebra's callback to return
Nonewhile the C++ checker verifies the invalid signature against the stale digest. - Zebra accepts the spend, zcashd rejects it, creating a consensus split in the network.
Impact
Consensus Failure
- Attack Vector: Network.
- Effect: Network partition/consensus split.
- Scope: Any affected Zebra node, and any miner or template pipeline that relies on Zebra's validation result.
Fixed Versions
This issue is fixed in 4.4.0.
The fixes uses a workaround where the input buffer is filled with random bytes on validation failure, which makes signature validation fail (as expected) with overwhelming probability. This avoids a breaking release of the zcash_script crate. A future release will propagate the error correctly for a direct fix.
Mitigation
Users should upgrade to 4.4.0 or later immediately.
There are no known workarounds for this issue. Immediate upgrade is the only way to ensure the node remains on the correct consensus path and is protected against malicious chain forks.
Credits
Zebra thanks @sangsoo-osec for finding and reporting the issue.
AnalysisAI
Consensus divergence in Zebra 4.3.1 enables blockchain network partitioning through crafted transparent transactions with invalid sighash types. Insufficient error handling at the Rust-to-C++ FFI boundary causes Zebra to incorrectly accept transactions with undefined hash types by reusing stale buffer data from prior valid signature checks, while zcashd correctly rejects these transactions. Attackers can exploit this by chaining OP_CHECKSIGVERIFY with OP_CHECKSIG opcodes using invalid hash types to trigger acceptance on Zebra nodes but rejection on zcashd nodes, creating a consensus split that could enable double-spend attacks. Vendor-released patch: 4.4.0. No public exploit identified at time of analysis, but the technical mechanism is fully disclosed in the GitHub advisory GHSA-gq4h-3grw-2rhv.
Technical ContextAI
Zebra is an independent Rust implementation of the Zcash protocol that validates blockchain consensus rules. This vulnerability exists at the foreign function interface (FFI) boundary between Zebra's Rust validation logic and inherited Bitcoin Script verification code in C++. During transparent transaction verification, Zebra computes transaction sighashes via Rust callback and passes them to C++ signature validators. The fix for prior vulnerability GHSA-8m29-fpq5-89jj added validation to reject undefined ZIP 244 V5 hash-type bytes by returning None from the Rust callback. However, the FFI bridge only writes to the C++ sighash buffer when the callback returns Some. When None is returned, the buffer remains unchanged with data from previous operations, and the C++ verifier unconditionally reads this stale buffer without detecting the error condition. CWE-347 (Improper Verification of Cryptographic Signature) accurately captures the root cause: the signature verification logic fails to properly handle invalid inputs, leading to acceptance of cryptographically invalid signatures. The consensus rules for Zcash transaction validation require strict hash-type checking per ZIP 244 specification, and deviation from zcashd's behavior creates exploitable network partitioning.
RemediationAI
Upgrade to Zebra 4.4.0 or later immediately per vendor advisory. The fix implements a defense-in-depth workaround: when the Rust callback rejects an undefined hash type, it fills the sighash buffer with cryptographically secure random bytes from a per-call CSPRNG instead of leaving it unmodified, ensuring signature verification fails with overwhelming probability even if the error signal is lost at the FFI boundary. This approach avoids breaking changes to the zcash_script crate API. Future releases will implement direct error propagation for a definitive fix. Download fixed version from https://github.com/ZcashFoundation/zebra/releases/tag/v4.4.0. No workarounds exist for this vulnerability-the vendor explicitly states immediate upgrade is the only protection against consensus divergence and potential chain forks. For operators unable to upgrade immediately (not recommended), consider temporarily halting transaction acceptance and operating in read-only monitoring mode until patching is complete, though this does not prevent network-level consensus split if other vulnerable nodes exist. Verify upgrade success by confirming version 4.4.0 or later in node logs. Downstream users of zebra-script library must upgrade to version 6.0.0 to address the underlying vulnerability in the FFI layer.
More in Jwt Attack
View allWhy is Microsoft republishing a CVE from 2013? We are republishing CVE-2013-3900 in the Security Update Guide to update
Authentication bypass in SimpleHelp 5.5.15 and prior (plus 6.0 pre-release builds) allows remote unauthenticated attacke
Authentication bypass in Fortinet FortiOS, FortiProxy, and FortiSwitchManager allows unauthenticated remote attackers to
ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Rated critical severity (CVS
ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Rated critical severity (CVS
The package jsrsasign before 10.5.25 are vulnerable to Improper Verification of Cryptographic Signature when JWS or JWT
A library injection vulnerability exists in Microsoft Teams (work or school) 24046.2813.2770.1094 for macOS. Rated criti
A library injection vulnerability exists in the WebView.app helper app of Microsoft Teams (work or school) 24046.2813.27
A library injection vulnerability exists in the com.microsoft.teams2.modulehost.app helper app of Microsoft Teams (work
The Ruby SAML library is for implementing the client side of a SAML authorization. Rated critical severity (CVSS 9.8), t
cosign is a container signing and verification utility. Rated critical severity (CVSS 9.8), this vulnerability is remote
Biscuit is an authentication and authorization token for microservices architectures. Rated critical severity (CVSS 9.8)
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-gq4h-3grw-2rhv