Zebra Chain
Monthly
Remote attackers can crash ZEBRA Zcash nodes by submitting a crafted Orchard transaction containing an identity value in the rk (randomized validating key) field, triggering a panic in the orchard crate's verification logic. All ZEBRA versions prior to 4.3.1 are affected. This critical denial-of-service vulnerability requires no authentication and has low attack complexity (CVSS 4.0: 9.2, AV:N/AC:L/PR:N). The issue stems from improper handling of the elliptic curve point identity value during transaction verification, where the orchard crate's unwrap() call on coordinate extraction causes an unhandled panic. Fixed in zebrad 4.3.1 and zebra-chain 6.0.2 by rejecting identity rk values during transaction parsing.
Remote attackers can crash ZEBRA Zcash nodes by submitting a crafted Orchard transaction containing an identity value in the rk (randomized validating key) field, triggering a panic in the orchard crate's verification logic. All ZEBRA versions prior to 4.3.1 are affected. This critical denial-of-service vulnerability requires no authentication and has low attack complexity (CVSS 4.0: 9.2, AV:N/AC:L/PR:N). The issue stems from improper handling of the elliptic curve point identity value during transaction verification, where the orchard crate's unwrap() call on coordinate extraction causes an unhandled panic. Fixed in zebrad 4.3.1 and zebra-chain 6.0.2 by rejecting identity rk values during transaction parsing.