Skip to main content

zebrad CVE-2026-52733

MEDIUM
Incomplete Cleanup (CWE-459)
2026-07-02 https://github.com/ZcashFoundation/zebra GHSA-2gf8-q9rr-jq3h
6.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.5 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L
vuln.today AI
6.5 MEDIUM

Trigger is network-level chain fork (AV:N, AC:H); no authentication required; persistent RocksDB integrity corruption justifies I:H, degraded wallet sync A:L, no confidentiality impact.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L
4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:L/SA:N

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jul 02, 2026 - 20:42 vuln.today

DescriptionGitHub Advisory

Am I affected

You are affected if:

  1. You run zebrad up to and including v4.4.1.
  2. Your node participates in a network where chain forks occur (mainnet, testnet, or any network with multiple miners).

All default configurations are affected. The corruption persists across restarts because it is written to RocksDB.

Summary

When pop_tip removes the tip block during a chain fork, stale Sapling and Orchard note commitment subtree root data is retained in the in-memory non-finalized state. When the chain subsequently finalizes, this stale data is written to the persistent RocksDB state. The corrupted subtree root history affects z_getsubtreesbyindex (used by lightwalletd for wallet synchronization) and could affect future chain verification that depends on correct subtree roots.

Details

The non-finalized state provides two methods for removing blocks: pop_root (removes the oldest block during finalization) and pop_tip (removes the newest block during a fork revert). pop_root correctly cleans up note commitment subtree contributions. pop_tip does not: it removes the block but retains the block's subtree root contributions in the in-memory state.

When a chain fork occurs and pop_tip reverts the old tip, the winning fork's chain is extended. When that chain is later finalized, the stale subtree data from the reverted blocks is included in the RocksDB write batch and persisted to disk.

The pop_root/pop_tip asymmetry is specific to subtree root handling. Other state managed by pop_tip (nullifiers, UTXOs, anchors, block hashes) uses different cleanup patterns that are not affected.

Patches

zebra-state 7.0.0 and zebrad 4.5.0.

The fix adds subtree root cleanup to pop_tip matching the pattern already used by pop_root.

Workarounds

There is no configuration-level workaround. Chain forks are natural events on any Proof-of-Work network. Operators can mitigate the downstream impact by periodically verifying subtree root consistency using z_getsubtreesbyindex against a known-good reference.

Impact

Persistent corruption of Sapling and Orchard subtree root history in the RocksDB state database. The corruption survives node restarts. Downstream consumers that rely on z_getsubtreesbyindex for wallet synchronization (primarily lightwalletd and light wallets) receive incorrect subtree roots. This does not directly affect consensus validation of new blocks but can cause wallet synchronization failures or incorrect wallet state. Recovery requires rebuilding the state database from scratch.

Credit

Reported by @dingledropper via a private GitHub Security Advisory submission.

AnalysisAI

Persistent RocksDB state corruption in zebrad up to v4.4.1 arises from an asymmetric cleanup bug in the non-finalized chain fork handler: pop_tip omits the Sapling and Orchard note commitment subtree root cleanup that pop_root correctly performs, causing stale subtree root entries to survive in memory and be flushed to disk during subsequent chain finalization. The corrupted subtree root history survives node restarts and is served to downstream consumers of z_getsubtreesbyindex - primarily lightwalletd and light wallets - causing wallet synchronization failures or incorrect wallet state that requires a full database rebuild to recover. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Chain fork occurs on PoW network
Delivery
pop_tip reverts tip without subtree cleanup
Exploit
stale subtree roots persist in non-finalized state
Install
winning fork finalizes and flushes stale data to RocksDB
C2
corruption survives node restart
Execute
z_getsubtreesbyindex returns incorrect subtree roots
Impact
lightwalletd and wallets receive corrupted state

Vulnerability AssessmentAI

Exploitation No adversarial action is required - the vulnerability is triggered entirely by naturally occurring chain fork events on any Proof-of-Work network, including Zcash mainnet and testnet. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD CVSS vector (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L) accurately characterizes the vulnerability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A chain fork occurs on Zcash mainnet - a routine PoW network event requiring no attacker involvement - causing zebrad to invoke `pop_tip` to revert the old tip block. Because `pop_tip` does not clean up Sapling and Orchard subtree root data, the stale entries persist in the non-finalized state and are written to RocksDB when the winning chain finalizes. …
Remediation Upgrade to zebrad 4.5.0 and zebra-state 7.0.0, which add subtree root cleanup to `pop_tip` matching the existing `pop_root` cleanup pattern; this is the only complete fix. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-52733 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy