ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.3.0 and zebra-chain version 6.0.1, a vulnerability in Zebra's transaction processing logic allows a remote, unauthenticated attacker to cause a Zebra node to panic (crash). This is triggered by sending a specially crafted V5 transaction that passes initial deserialization but fails during transaction ID calculation. This issue has been patched in zebrad version 4.3.0 and zebra-chain version 6.0.1.
References
| Link | Resource |
|---|---|
| https://github.com/ZcashFoundation/zebra/releases/tag/v4.3.0 | Release Notes |
| https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-qp6f-w4r3-h8wg | Vendor Advisory |
| https://zfnd.org/zebra-4-3-0-critical-security-fixes-zip-235-support-and-performance-improvements | Vendor Advisory |
Configurations
Configuration 1 (hide)
|
History
07 Apr 2026, 21:02
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://github.com/ZcashFoundation/zebra/releases/tag/v4.3.0 - Release Notes | |
| References | () https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-qp6f-w4r3-h8wg - Vendor Advisory | |
| References | () https://zfnd.org/zebra-4-3-0-critical-security-fixes-zip-235-support-and-performance-improvements - Vendor Advisory | |
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.5 |
| CWE | CWE-502 | |
| CPE | cpe:2.3:a:zfnd:zebra-chain:*:*:*:*:*:rust:*:* cpe:2.3:a:zfnd:zebra:*:*:*:*:*:rust:*:* |
|
| First Time |
Zfnd
Zfnd zebra-chain Zfnd zebra |
31 Mar 2026, 15:16
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-03-31 15:16
Updated : 2026-04-07 21:02
NVD link : CVE-2026-34202
Mitre link : CVE-2026-34202
CVE.ORG link : CVE-2026-34202
JSON object : View
Products Affected
zfnd
- zebra-chain
- zebra