Skip to main content

Zebra CVE-2026-44497

CRITICAL
Improper Verification of Cryptographic Signature (CWE-347)
2026-05-07 https://github.com/ZcashFoundation/zebra GHSA-gq4h-3grw-2rhv
9.3
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
Re-analysis Queued
May 08, 2026 - 15:22 vuln.today
cvss_changed
CVSS changed
May 08, 2026 - 15:22 NVD
9.3 (CRITICAL)
Source Code Evidence Fetched
May 07, 2026 - 21:17 vuln.today
Analysis Generated
May 07, 2026 - 21:17 vuln.today
CVE Published
May 07, 2026 - 20:56 nvd
CRITICAL

DescriptionGitHub Advisory

CVE-2026-44497: Consensus Divergence in Transparent Sighash Hash-Type Handling due to Stale Buffer

Summary

The fix for https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-8m29-fpq5-89jj introduced a separate issue due to insuficient error handling of the case where the sighash type is invalid, during sighash computation. Instead of returning an error, the normal flow would resume, and the input sighash buffer would be left untouched. In scenarios where a previous signature validation could leave a valid sighash in the buffer, an invalid hash-type could be incorrectly accepted, which would create a consensus split between Zebra and zcashd nodes.

Severity

Critical - This is a Consensus Vulnerability that could allow a malicious party to induce network partitioning, service disruption, and potential double-spend attacks against affected nodes.

Note that the impact is currently alleviated by the fact that currently most miners run zcashd.

Affected Versions

Zebra 4.3.1.

Description

Verification of transparent transactions inherits the Bitcoin Script verification code in C++, called from Zebra through a foreign function interface (FFI) with a Rust callback that computes the sighash. The fix for https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-8m29-fpq5-89jj added the missing V5 hash-type consensus check on the Rust side, returning None for undefined hash types. However, the FFI bridge only writes to the C++ sighash buffer when the callback returns Some, and the C++ checker reads that buffer unconditionally, so the failure signal is lost.

An attacker could exploit this by:

  • Constructing a transparent output spent by a script that runs a valid OP_CHECKSIGVERIFY immediately before an OP_CHECKSIG with an undefined hash type.
  • The first opcode primes the C++ sighash buffer with a valid digest; the second causes Zebra's callback to return None while the C++ checker verifies the invalid signature against the stale digest.
  • Zebra accepts the spend, zcashd rejects it, creating a consensus split in the network.

Impact

Consensus Failure

  • Attack Vector: Network.
  • Effect: Network partition/consensus split.
  • Scope: Any affected Zebra node, and any miner or template pipeline that relies on Zebra's validation result.

Fixed Versions

This issue is fixed in 4.4.0.

The fixes uses a workaround where the input buffer is filled with random bytes on validation failure, which makes signature validation fail (as expected) with overwhelming probability. This avoids a breaking release of the zcash_script crate. A future release will propagate the error correctly for a direct fix.

Mitigation

Users should upgrade to 4.4.0 or later immediately.

There are no known workarounds for this issue. Immediate upgrade is the only way to ensure the node remains on the correct consensus path and is protected against malicious chain forks.

Credits

Zebra thanks @sangsoo-osec for finding and reporting the issue.

AnalysisAI

Consensus divergence in Zebra 4.3.1 enables blockchain network partitioning through crafted transparent transactions with invalid sighash types. Insufficient error handling at the Rust-to-C++ FFI boundary causes Zebra to incorrectly accept transactions with undefined hash types by reusing stale buffer data from prior valid signature checks, while zcashd correctly rejects these transactions. Attackers can exploit this by chaining OP_CHECKSIGVERIFY with OP_CHECKSIG opcodes using invalid hash types to trigger acceptance on Zebra nodes but rejection on zcashd nodes, creating a consensus split that could enable double-spend attacks. Vendor-released patch: 4.4.0. No public exploit identified at time of analysis, but the technical mechanism is fully disclosed in the GitHub advisory GHSA-gq4h-3grw-2rhv.

Technical ContextAI

Zebra is an independent Rust implementation of the Zcash protocol that validates blockchain consensus rules. This vulnerability exists at the foreign function interface (FFI) boundary between Zebra's Rust validation logic and inherited Bitcoin Script verification code in C++. During transparent transaction verification, Zebra computes transaction sighashes via Rust callback and passes them to C++ signature validators. The fix for prior vulnerability GHSA-8m29-fpq5-89jj added validation to reject undefined ZIP 244 V5 hash-type bytes by returning None from the Rust callback. However, the FFI bridge only writes to the C++ sighash buffer when the callback returns Some. When None is returned, the buffer remains unchanged with data from previous operations, and the C++ verifier unconditionally reads this stale buffer without detecting the error condition. CWE-347 (Improper Verification of Cryptographic Signature) accurately captures the root cause: the signature verification logic fails to properly handle invalid inputs, leading to acceptance of cryptographically invalid signatures. The consensus rules for Zcash transaction validation require strict hash-type checking per ZIP 244 specification, and deviation from zcashd's behavior creates exploitable network partitioning.

RemediationAI

Upgrade to Zebra 4.4.0 or later immediately per vendor advisory. The fix implements a defense-in-depth workaround: when the Rust callback rejects an undefined hash type, it fills the sighash buffer with cryptographically secure random bytes from a per-call CSPRNG instead of leaving it unmodified, ensuring signature verification fails with overwhelming probability even if the error signal is lost at the FFI boundary. This approach avoids breaking changes to the zcash_script crate API. Future releases will implement direct error propagation for a definitive fix. Download fixed version from https://github.com/ZcashFoundation/zebra/releases/tag/v4.4.0. No workarounds exist for this vulnerability-the vendor explicitly states immediate upgrade is the only protection against consensus divergence and potential chain forks. For operators unable to upgrade immediately (not recommended), consider temporarily halting transaction acceptance and operating in read-only monitoring mode until patching is complete, though this does not prevent network-level consensus split if other vulnerable nodes exist. Verify upgrade success by confirming version 4.4.0 or later in node logs. Downstream users of zebra-script library must upgrade to version 6.0.0 to address the underlying vulnerability in the FFI layer.

CVE-2013-3900 MEDIUM
5.5 Dec 11

Why is Microsoft republishing a CVE from 2013? We are republishing CVE-2013-3900 in the Security Update Guide to update

CVE-2026-48558 CRITICAL POC
9.5 Jun 12

Authentication bypass in SimpleHelp 5.5.15 and prior (plus 6.0 pre-release builds) allows remote unauthenticated attacke

CVE-2025-59718 CRITICAL
9.8 Dec 09

Authentication bypass in Fortinet FortiOS, FortiProxy, and FortiSwitchManager allows unauthenticated remote attackers to

CVE-2025-25291 CRITICAL POC
9.3 Mar 12

ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Rated critical severity (CVS

CVE-2025-25292 CRITICAL POC
9.3 Mar 12

ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Rated critical severity (CVS

CVE-2022-25898 CRITICAL POC
9.8 Jul 01

The package jsrsasign before 10.5.25 are vulnerable to Improper Verification of Cryptographic Signature when JWS or JWT

CVE-2024-42004 CRITICAL POC
9.8 Dec 18

A library injection vulnerability exists in Microsoft Teams (work or school) 24046.2813.2770.1094 for macOS. Rated criti

CVE-2024-41145 CRITICAL POC
9.8 Dec 18

A library injection vulnerability exists in the WebView.app helper app of Microsoft Teams (work or school) 24046.2813.27

CVE-2024-41138 CRITICAL POC
9.8 Dec 18

A library injection vulnerability exists in the com.microsoft.teams2.modulehost.app helper app of Microsoft Teams (work

CVE-2024-45409 CRITICAL POC
9.8 Sep 10

The Ruby SAML library is for implementing the client side of a SAML authorization. Rated critical severity (CVSS 9.8), t

CVE-2022-35929 CRITICAL POC
9.8 Aug 04

cosign is a container signing and verification utility. Rated critical severity (CVSS 9.8), this vulnerability is remote

CVE-2022-31053 CRITICAL POC
9.8 Jun 13

Biscuit is an authentication and authorization token for microservices architectures. Rated critical severity (CVSS 9.8)

Share

CVE-2026-44497 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy