Listen to this Post
How the mentioned CVE works (technical details):
The vulnerability resides in Zebra’s transaction verification cache optimization. This cache assumes that if a transaction was previously accepted into the mempool (and thus fully verified as valid), subsequent verifications can be skipped. However, the optimization ignores height-dependent validity rules. A transaction may be valid at block height H+1 but invalid at H+2 due to expiry height, lock time, or network upgrade boundaries. An attacker (malicious miner) exploits this by:
1. Submitting a transaction with expiry height H+1 to the target Zebra node, which verifies it and adds it to the mempool.
2. Mining two blocks: block H+1 and block H+2, where block H+2 contains the same transaction.
3. Propagating block H+2 before block H+1 to vulnerable Zebra nodes.
4. Zebra’s cached verification accepts block H+2 as valid (since transaction is in mempool) and waits for block H+1.
5. When block H+1 arrives, Zebra commits both blocks, even though the transaction expired at H+1 and is invalid in H+2.
6. Other nodes (zcashd or patched Zebra) reject block H+2, causing a chain fork. The vulnerable node becomes isolated from the consensus network. The root cause is failure to re-validate height-dependent transaction fields (expiry, locktime, upgrade activation) against the target block’s height when using the mempool cache.
dailycve form:
Platform: Zebra node
Version: < 4.3.1
Vulnerability: Cache consensus bypass
Severity: High
date: 2026-04-10
Prediction: Patch 2026-04-25
What Undercode Say:
Analytics: Monitor mempool cache hits vs height mismatches.
Check Zebra version zebrad --version | grep "Zebra" Verify fix applied (v4.3.1+) grep "transaction.verification.cache" ~/.cache/zebra/debug.log Simulate height-dependent expiry validation zcash-cli getblockchaininfo | grep "blocks" curl -s http://localhost:8232/status | jq '.chain.height'
Exploit:
Miner submits tx with expiry=H+1, mines H+2 containing same tx, sends H+2 before H+1 to vulnerable nodes, causing them to accept invalid block and fork.
Protection from this CVE:
Upgrade to Zebra 4.3.1 immediately. No workaround; disable cache optimization only in fixed version. Validate all height-dependent fields (expiry, locktime, NU) even for mempool-cached txs.
Impact:
Consensus split, network partition, potential double-spends on isolated nodes. Affects all pre-4.3.1 Zebra nodes running V5 transaction cache.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

