Zebra, Consensus Failure, CVE-2026-34377 (High)

Listen to this Post

How the Mentioned CVE Works

The vulnerability resides in Zebra’s transaction verification cache, specifically within the `find_verified_unmined_tx` function in transaction.rs. This function optimizes block verification by reusing mempool validation results. The cache uses the ZIP-244 `txid` as the unique key. For V5 transactions, the `txid` excludes the Authorization Data Root (signatures and proofs). A malicious miner observes a valid V5 transaction broadcast to the network, which enters the mempool of a vulnerable Zebra node. The miner then crafts a block containing a modified version of that transaction. This modified version retains the same `txid` as the original but includes invalid signatures or proofs. When the vulnerable Zebra node processes this block, it finds the matching `txid` in its mempool cache. Consequently, the node incorrectly assumes the block’s transaction is already verified and skips the essential `check_v5_auth()` call. The node commits the block containing the invalid transaction. Other nodes, such as `zcashd` or patched Zebra instances without that transaction in their mempool, reject the block. This creates a consensus split, isolating the vulnerable node on a fork. The flaw is not about accepting invalid transactions, but about inducing a network partition through a logic error in the verification cache.

dailycve form:

Platform: Zebra
Version: prior 4.3.0
Vulnerability: Consensus split via txid mismatch
Severity: High
date: 2026-03-31

Prediction: Already Patched

What Undercode Say:

Check Zebra version to see if vulnerable (< 4.3.0)
zebrad --version
Inspect the vulnerable function in transaction.rs
grep -n "find_verified_unmined_tx" zebra-chain/src/transaction.rs
Example of a V5 transaction txid calculation (excludes auth data)
echo "txid = hash(version + inputs + outputs + expiry_height + value_balance + binding_sig_hash + orchard_actions_digest)"
Verify the fix ensures full integrity check including auth data
Patch diff example:
- if let Some(verified_tx) = self.find_verified_unmined_tx(txid) {
+ if let Some(verified_tx) = self.find_verified_unmined_tx(txid)
+ && verified_tx.auth_data_root() == tx.auth_data_root() {

Exploit:

  1. Attacker waits for a valid V5 transaction to propagate to a vulnerable Zebra node.
  2. Attacker creates a new block containing a mutated version of that transaction with the same `txid` but invalid proofs/signatures.
  3. The vulnerable Zebra node sees the `txid` in its mempool cache and skips re-verifying the authorization data.
  4. The node accepts the invalid block, while the rest of the network rejects it, causing a persistent chain fork.

Protection from this CVE

Upgrade Zebra to version 4.3.0 or later immediately. This version includes a fix that ensures the verification cache only skips re-checking a transaction if the full integrity—including the authorization data root—matches the mempool entry. There are no workarounds; upgrading is the only mitigation.

Impact

  • Consensus Failure: A malicious miner can induce a network partition, isolating vulnerable nodes from the main Zcash chain.
  • Service Disruption: Vulnerable nodes become stuck on a fork, unable to sync or transact with the majority network.
  • Double-Spend Potential: The attacker may leverage the split to facilitate double-spend attacks against affected nodes.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top