Zebra, Consensus Bypass, CVE-2026-40880 (High)

Listen to this Post

How the mentioned CVE works (technical details):

The vulnerability resides in Zebra’s transaction verification cache optimization. This cache assumes that if a transaction was previously accepted into the mempool (and thus fully verified as valid), subsequent verifications can be skipped. However, the optimization ignores height-dependent validity rules. A transaction may be valid at block height H+1 but invalid at H+2 due to expiry height, lock time, or network upgrade boundaries. An attacker (malicious miner) exploits this by:
1. Submitting a transaction with expiry height H+1 to the target Zebra node, which verifies it and adds it to the mempool.
2. Mining two blocks: block H+1 and block H+2, where block H+2 contains the same transaction.
3. Propagating block H+2 before block H+1 to vulnerable Zebra nodes.
4. Zebra’s cached verification accepts block H+2 as valid (since transaction is in mempool) and waits for block H+1.
5. When block H+1 arrives, Zebra commits both blocks, even though the transaction expired at H+1 and is invalid in H+2.
6. Other nodes (zcashd or patched Zebra) reject block H+2, causing a chain fork. The vulnerable node becomes isolated from the consensus network. The root cause is failure to re-validate height-dependent transaction fields (expiry, locktime, upgrade activation) against the target block’s height when using the mempool cache.

dailycve form:

Platform: Zebra node
Version: < 4.3.1
Vulnerability: Cache consensus bypass
Severity: High
date: 2026-04-10

Prediction: Patch 2026-04-25

What Undercode Say:

Analytics: Monitor mempool cache hits vs height mismatches.

Check Zebra version
zebrad --version | grep "Zebra"
Verify fix applied (v4.3.1+)
grep "transaction.verification.cache" ~/.cache/zebra/debug.log
Simulate height-dependent expiry validation
zcash-cli getblockchaininfo | grep "blocks"
curl -s http://localhost:8232/status | jq '.chain.height'

Exploit:

Miner submits tx with expiry=H+1, mines H+2 containing same tx, sends H+2 before H+1 to vulnerable nodes, causing them to accept invalid block and fork.

Protection from this CVE:

Upgrade to Zebra 4.3.1 immediately. No workaround; disable cache optimization only in fixed version. Validate all height-dependent fields (expiry, locktime, NU) even for mempool-cached txs.

Impact:

Consensus split, network partition, potential double-spends on isolated nodes. Affects all pre-4.3.1 Zebra nodes running V5 transaction cache.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top