CVE-2026-34377

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-34377
ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.3.0 and zebra-consensus version 5.0.1, a logic error in Zebra's transaction verification cache could allow a malicious miner to induce a consensus split. By matching a valid transaction's txid while providing invalid authorization data, a miner could cause vulnerable Zebra nodes to accept an invalid block, leading to a consensus split from the rest of the Zcash network. This would not allow invalid transactions to be accepted but could result in a consensus split between vulnerable Zebra nodes and invulnerable Zebra and Zcashd nodes. This issue has been patched in zebrad version 4.3.0 and zebra-consensus version 5.0.1.

8.1 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://github.com/ZcashFoundation/zebra/releases/tag/v4.3.0 Release Notes
https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-3vmh-33xr-9cqh Exploit Vendor Advisory
https://zfnd.org/zebra-4-3-0-critical-security-fixes-zip-235-support-and-performance-improvements Vendor Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:zfnd:zebra:*:*:*:*:*:rust:*:*
cpe:2.3:a:zfnd:zebra-consensus:*:*:*:*:*:rust:*:*
History

06 Apr 2026, 16:57

Type Values Removed Values Added
References () https://github.com/ZcashFoundation/zebra/releases/tag/v4.3.0 - () https://github.com/ZcashFoundation/zebra/releases/tag/v4.3.0 - Release Notes
References () https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-3vmh-33xr-9cqh - () https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-3vmh-33xr-9cqh - Exploit, Vendor Advisory
References () https://zfnd.org/zebra-4-3-0-critical-security-fixes-zip-235-support-and-performance-improvements - () https://zfnd.org/zebra-4-3-0-critical-security-fixes-zip-235-support-and-performance-improvements - Vendor Advisory
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 8.1
CPE cpe:2.3:a:zfnd:zebra:*:*:*:*:*:rust:*:*
cpe:2.3:a:zfnd:zebra-consensus:*:*:*:*:*:rust:*:*
First Time Zfnd
Zfnd zebra-consensus
Zfnd zebra

31 Mar 2026, 15:16

Type Values Removed Values Added
New CVE
Information

Published : 2026-03-31 15:16

Updated : 2026-04-06 16:57

NVD link : CVE-2026-34377

Mitre link : CVE-2026-34377

CVE.ORG link : CVE-2026-34377

JSON object : View

Products Affected

zfnd

  • zebra-consensus
  • zebra
CWE
CWE-347

Improper Verification of Cryptographic Signature