External risk intelligence

Zcash nodes could split leading to service disruption

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-44497

A critical flaw in Zcash node software could cause a blockchain split, disrupting transactions and network integrity. Promptly update your Zcash software to protect against this risk.

4Halo Surface Signal

Zfnd Zebra Script

before 6.0.0before 4.4.0

External exposure likelihood

Halo Surface Signal score for CVE-2026-44497

The software is a cryptocurrency node designed to participate in a peer-to-peer network, requiring it to accept connections from external peers over the public internet to function. Because this public network reachability is a fundamental requirement for the software to operate as intended within the blockchain ecosystem, it is considered an internet-facing service in common deployments.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability in the Zcash node software could allow an invalid signature hash type to be accepted, potentially causing a split in the blockchain's consensus. This could lead to a situation where different versions of the ledger exist, impacting the integrity of transactions.

  • Can disrupt blockchain consensus.
  • Affects Zcash nodes.
  • Requires a specific condition to be exploited.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this flaw by sending crafted transactions to a vulnerable Zcash node. If the node processes an invalid sighash type while a valid signature is in the buffer from a previous operation, it could accept the invalid hash. This would cause a consensus split, disrupting the Zcash network.

  • No authentication required.
  • Targets sighash computation.
  • Requires specific transaction crafting.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability impacts a Zcash node, which is a critical component of the Zcash cryptocurrency network. Exploitation could lead to a consensus split, potentially disrupting the network's integrity. While the direct impact to individual users might not be immediately apparent, the potential for network-wide disruption makes this a significant concern for the Zcash ecosystem.

  • No observed exploitation.
  • No public exploit code.
  • Affects a core cryptocurrency service.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize patching Zcash node software and related scripts to versions 4.4.0 and 6.0.0, respectively, to address the critical vulnerability that could lead to consensus splits. If immediate patching is not feasible, implement strict network segmentation and enhance monitoring for anomalous transaction validation behavior.

  • Patch zebrad to 4.4.0 and zebra-script to 6.0.0.
  • Isolate vulnerable nodes if patching is delayed.
  • Monitor for invalid sighash type anomalies.

Frequently asked questions

What is zebrad and what is it used for?

Zebrad is a Zcash node implemented in Rust. It functions as a cryptocurrency node, enabling participation in the Zcash peer-to-peer network for processing transactions and maintaining the blockchain's integrity. Users interact with zebrad to support and engage with the Zcash ecosystem.

What kind of weakness does CVE-2026-44497 represent?

CVE-2026-44497 is a vulnerability categorized under CWE-347, which involves the improper validation of cryptographic signature formats. In zebrad, insufficient error handling for invalid sighash types during sighash computation allowed the program to proceed incorrectly, potentially accepting invalid hashes and causing a consensus split.

How could an attacker trigger CVE-2026-44497?

An attacker could trigger this vulnerability by sending specially crafted transactions to a vulnerable Zcash node. If a previous signature validation left a valid sighash in a buffer, the node might incorrectly accept an invalid sighash type. The vulnerability is not triggered if the sighash type is correctly handled or if there isn't a valid sighash already in the buffer from a prior operation.

Who should be concerned about this vulnerability, considering its exposure?

Anyone running zebrad or zebra-script versions prior to 4.4.0 and 6.0.0, respectively, should be concerned. The software is classified as external, meaning it's likely internet-facing, as Zcash nodes inherently connect to a peer-to-peer network.

What is the first step to address this vulnerability?

The immediate first step is to update zebrad to version 4.4.0 or later, and zebra-script to version 6.0.0 or later. These updates contain the necessary patches to fix the insufficient error handling that led to the vulnerability.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished