Skip to main content

Zebra CVE-2026-52735

CRITICAL
Incorrect Provision of Specified Functionality (CWE-684)
2026-07-02 https://github.com/ZcashFoundation/zebra GHSA-gf9r-m956-97qx
Share

Severity by source

vuln.today AI
10.0 CRITICAL

Unauthenticated network broadcast (AV:N/PR:N/UI:N); no confidentiality impact, but consensus integrity and network availability are severely hit and the impact extends beyond the single node (S:C).

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H

Estimated by vuln.today — no official severity rating has been published for this CVE yet.

Lifecycle Timeline

1
Analysis Generated
Jul 02, 2026 - 20:35 vuln.today

DescriptionCVE.org

Am I affected

You are affected if:

  1. You run any version of zebrad up to and including v4.4.1.
  2. Your node validates blocks on mainnet, testnet, or any network where both Zebra and zcashd nodes participate.

All default configurations are affected. No feature flags, non-default settings, or special build options are required.

Summary

Zebra's P2SH sigop counter uses a pure-Rust code path that short-circuits on disabled opcodes (such as OP_CODESEPARATOR), returning a partial count of zero for any sigops following the disabled opcode. The reference implementation (zcashd) correctly counts through disabled opcodes in its static sigop analysis. This produces a consensus divergence: Zebra accepts blocks that zcashd rejects when the block-wide MAX_BLOCK_SIGOPS = 20,000 threshold is crossed on one side but not the other.

An attacker can exploit this without mining capability. Broadcasting transactions that spend P2SH outputs with malicious redeem scripts is sufficient; any Zebra miner who includes those transactions in a block triggers a chain split between Zebra and zcashd validators.

Details

The P2SH sigop counter at zebra-script/src/lib.rs:399 calls script::Code(redeemed_bytes).sig_op_count(true), which is a pure-Rust path through zcash_script-0.4.4. The legacy (non-P2SH) sigop counter at lib.rs:282-289 correctly uses the C++ FFI via interpreter.legacy_sigop_count_script(). Only the P2SH path bypasses the FFI.

The Rust parser in zcash_script-0.4.4/src/opcode/mod.rs:1247-1260 treats 16 disabled opcodes (0x7e through 0xab, including OP_CAT, OP_SUBSTR, OP_AND, OP_OR, OP_XOR, OP_2MUL, OP_2DIV, OP_MUL, OP_DIV, OP_MOD, OP_LSHIFT, OP_RSHIFT, and OP_CODESEPARATOR) as Err(Error::Disabled(...)). The sig_op_count function at iter.rs:104-115 uses try_fold, which terminates on the first Err and returns the partial sum accumulated so far.

zcashd's GetOp2 (script.h:514-562) returns true for all non-push opcodes including the disabled range. Its GetSigOpCount(true) (script.cpp:152-174) continues counting through disabled opcodes. zcashd rejects disabled opcodes at execution time in the interpreter, not during static sigop analysis.

A redeem script of [0xab, OP_CHECKMULTISIG x 50] produces: Zebra = 0 sigops, zcashd = 1,000 sigops. Across 21 inputs in a block, Zebra computes 0 while zcashd computes 21,000, crossing the MAX_BLOCK_SIGOPS = 20,000 threshold on one side only.

Patches

Patched in Zebra 4.4.2. The fix routes the P2SH sigop counter through the same C++ FFI already used by the legacy sigop counter.

Workarounds

There is no configuration-level workaround. All Zebra nodes validating blocks on a network shared with zcashd are affected. Upgrade as soon as the patched version is available.

Impact

A chain split between Zebra and zcashd validators. The attacker broadcasts spending transactions referencing P2SH outputs whose redeem scripts contain a disabled opcode followed by OP_CHECKSIG or OP_CHECKMULTISIG opcodes. When a Zebra miner (estimated ~30% of current network hashrate) includes these transactions in a block, Zebra validators accept the block while zcashd validators reject it with bad-blk-sigops. The two halves of the network diverge and every subsequent block extending the Zebra-side tip inherits the divergence.

The attacker does not need mining capability, RPC access, or any special privileges. The cost is the transaction fees for the funding and spending transactions.

Credit

Reported by @samsulselfut via a private GitHub Security Advisory submission.

AnalysisAI

Consensus divergence in the Zcash Foundation's Zebra node (zebrad up to and including v4.4.1) lets a remote, unauthenticated attacker force a chain split between Zebra and zcashd validators without any mining capability. Zebra's P2SH signature-operation counter runs a pure-Rust path that short-circuits on disabled opcodes and undercounts sigops, so Zebra accepts blocks that zcashd rejects once the 20,000 block-sigop limit is straddled. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Fund P2SH output with disabled-opcode redeem script
Delivery
Broadcast transactions spending those outputs
Exploit
Zebra miner includes them in a block
Execution
Zebra undercounts sigops and accepts block
Persist
zcashd rejects block as bad-blk-sigops
Impact
Network chain split propagates to later blocks

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target Zebra node (v4.4.1 or earlier) be validating blocks on a network shared with zcashd nodes - the defining condition, since the vulnerability manifests as a divergence between the two implementations. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment No CVSS or EPSS score is provided (both N/A) and this is not on the CISA KEV list, so quantitative signals are absent and must be reasoned from the description. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker funds a P2SH output whose redeem script places a disabled opcode (e.g., 0xab / OP_CODESEPARATOR) ahead of many OP_CHECKMULTISIG operations, then broadcasts transactions spending those outputs across the network for only the cost of transaction fees. When a Zebra miner (~30% of hashrate) includes ~21 such inputs in a block, Zebra counts 0 sigops while zcashd counts ~21,000, crossing the 20,000 MAX_BLOCK_SIGOPS limit on one side only; Zebra accepts the block and zcashd rejects it with bad-blk-sigops, splitting the chain. …
Remediation Vendor-released patch: Zebra 4.4.2 - upgrade zebrad to 4.4.2 or later, which routes the P2SH sigop counter through the same C++ FFI already used by the legacy sigop counter so counts match zcashd. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all Zebra (zebrad) deployments and assess their role in transaction processing and settlement. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-52735 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy