Skip to main content

Zebra Chain

1 CVEs product

Monthly

CVE-2026-41584 Cargo CRITICAL PATCH GHSA Act Now

Remote attackers can crash ZEBRA Zcash nodes by submitting a crafted Orchard transaction containing an identity value in the rk (randomized validating key) field, triggering a panic in the orchard crate's verification logic. All ZEBRA versions prior to 4.3.1 are affected. This critical denial-of-service vulnerability requires no authentication and has low attack complexity (CVSS 4.0: 9.2, AV:N/AC:L/PR:N). The issue stems from improper handling of the elliptic curve point identity value during transaction verification, where the orchard crate's unwrap() call on coordinate extraction causes an unhandled panic. Fixed in zebrad 4.3.1 and zebra-chain 6.0.2 by rejecting identity rk values during transaction parsing.

Denial Of Service Zebra Chain Zebrad
NVD GitHub
CVSS 4.0
9.2
EPSS
0.0%
EPSS 0% CVSS 9.2
CRITICAL PATCH Act Now

Remote attackers can crash ZEBRA Zcash nodes by submitting a crafted Orchard transaction containing an identity value in the rk (randomized validating key) field, triggering a panic in the orchard crate's verification logic. All ZEBRA versions prior to 4.3.1 are affected. This critical denial-of-service vulnerability requires no authentication and has low attack complexity (CVSS 4.0: 9.2, AV:N/AC:L/PR:N). The issue stems from improper handling of the elliptic curve point identity value during transaction verification, where the orchard crate's unwrap() call on coordinate extraction causes an unhandled panic. Fixed in zebrad 4.3.1 and zebra-chain 6.0.2 by rejecting identity rk values during transaction parsing.

Denial Of Service Zebra Chain Zebrad
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy