Critical Zebra Flaws Enable Zcash Node Crashes and Consensus Splits
Two high-severity vulnerabilities in Zebra, the Rust-based Zcash node implementation, could let attackers disrupt node availability and network consensus. CVE-2026-34202 allows a remote, unauthenticated attacker to crash vulnerable nodes by sending a specially crafted V5 transaction that passes deserialization but triggers a panic during transaction ID calculation. The bug affects versions before zebrad 4.3.0 and zebra-chain 6.0.1, creating a P2P-reachable denial-of-service condition with high availability impact.
A second flaw, CVE-2026-34377, stems from improper verification in Zebra's transaction verification cache and could allow a malicious miner to cause a consensus split. By reusing a valid transaction ID with invalid authorization data, an attacker could make vulnerable Zebra nodes accept an invalid block while invulnerable Zebra and Zcashd nodes stay on the correct chain. The issue affects versions before zebrad 4.3.0 and zebra-consensus 5.0.1; patches are available in zebrad 4.3.0, zebra-chain 6.0.1, and zebra-consensus 5.0.1.
Timeline
Apr 18, 2026
Zebra Orchard signature verification DoS vulnerability is disclosed
A new denial-of-service vulnerability affecting Zebra was publicly described in the orchard Rust crate used for Orchard signature verification. Supplying the identity point as a randomized validating key can cause an unwrap on a None value, triggering a Rust panic and terminating the node during transaction validation.
Apr 18, 2026
Zebra JSON-RPC DoS vulnerability GHSA-29X4-R6JV-FF4W is disclosed
A new Zebra vulnerability affecting zebra-rpc was publicly described as a denial-of-service issue caused by interrupted JSON-RPC requests that trigger a Rust panic and daemon abort. The impact was limited because exploitation requires authentication and the RPC interface binds to localhost by default, though exposed RPC services could be disrupted until restarted.
Mar 31, 2026
CVE-2026-34202 and CVE-2026-34377 are publicly disclosed
Two high-severity Zebra vulnerabilities were publicly published: CVE-2026-34202, a P2P-reachable node crash bug, and CVE-2026-34377, a consensus failure issue. Both disclosures described affected versions, impact, and patched releases.
Mar 31, 2026
Zebra patches consensus failure flaw in zebrad 4.3.0 and zebra-consensus 5.0.1
Zebra fixed a logic error in its transaction verification cache that could let a malicious miner trigger a consensus split by reusing a valid transaction ID with invalid authorization data. The issue affected versions prior to zebrad 4.3.0 and zebra-consensus 5.0.1.
Mar 31, 2026
Zebra patches node crash flaw in zebrad 4.3.0 and zebra-chain 6.0.1
The V5 transaction hash panic issue affecting Zebra versions prior to zebrad 4.3.0 and zebra-chain 6.0.1 was fixed. The bug could cause a panic during transaction ID calculation and crash the node.
Mar 31, 2026
Zebra receives report of V5 transaction hash panic vulnerability
A vulnerability later assigned CVE-2026-34202 was received by security-advisories@github.com. The flaw allowed a remote unauthenticated attacker to crash vulnerable Zebra nodes via a malformed V5 transaction.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Organizations
Sources
Related Stories
Nimiq Rust Components Exposed to Consensus and Supply Manipulation Flaws
Two high-severity vulnerabilities were disclosed in Nimiq's Rust implementation affecting blockchain validation and consensus logic. `CVE-2026-40093` impacts `nimiq-blockchain` version `1.3.0` and earlier because block timestamp validation checks only consistency with the parent block and does not enforce an upper bound against wall-clock time. A malicious block-producing validator can submit blocks dated far into the future, which alters reward calculations in `Policy::supply_at()` and `batch_delay()` and can inflate monetary supply beyond the intended emission schedule. The issue was mapped to `CWE-1284` and published alongside GitHub advisory `GHSA-49xc-52mp-cc9j`. A second flaw, `CVE-2026-33471`, affects `nimiq-block` versions prior to `1.3.0` in `SkipBlockProof::verify`, where quorum validation can be bypassed through out-of-range `BitSet` indices and `u16` truncation. By spacing forged signer indices by `65536`, a malicious validator can make multiple entries collide into the same valid slot and effectively reuse a single BLS signature to satisfy skip block proof checks without the required `2f+1` real signer slots. The vulnerability carries no known workaround, and the fix was released in version `1.3.0`, highlighting risks to both consensus integrity and chain availability if unpatched nodes remain in use.
1 weeks ago
libp2p-rust Gossipsub PRUNE Backoff Flaws Enable Remote DoS
Two high-severity flaws in the Rust implementation of **libp2p** allow remote peers to crash applications using the **Gossipsub** protocol by sending crafted `PRUNE` control messages with extremely large backoff values. **CVE-2026-33040** affects versions prior to `0.49.3`, where unchecked time arithmetic in the networking state machine can panic and cause a denial of service, while **CVE-2026-34219** affects versions prior to `0.49.4` through improper backoff expiry handling that triggers an `Instant + Duration` integer overflow during heartbeat processing. The bugs are reachable over normal Gossipsub peer connectivity, including TCP sessions using Noise with `mplex` or `yamux`, and do not require traditional authentication beyond establishing a protocol peer relationship. Both issues are classified under **CWE-190** for integer overflow, with the newer advisory also citing **CWE-617**, and both primarily impact availability by enabling unauthenticated or minimally authenticated remote attackers to force panics in exposed services. Maintainers patched the issues in **libp2p-rust** versions `0.49.3` and `0.49.4`, respectively.
1 months ago
Progress ShareFile Storage Zones Controller Flaws Enable Unauthorized Access and RCE
Progress disclosed two high-severity vulnerabilities in **Customer Managed ShareFile Storage Zones Controller (SZC)** that could expose organizations to unauthorized access and remote code execution. **`CVE-2026-2699`** allows an unauthenticated attacker to reach restricted configuration pages, creating a path to unauthorized system configuration changes and possible code execution. The flaw is rated **CVSS 9.8** (`AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`) and is associated with **CWE-284** and **CWE-698**. A second issue, **`CVE-2026-2701`**, allows an authenticated user to upload a malicious file to the server and execute it, resulting in remote code execution in ShareFile SZC environments. That vulnerability carries a **CVSS 8.8** rating (`AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H`) and is mapped to **CWE-94**, **CWE-78**, and **CWE-434**. The disclosures reference vendor security guidance for ShareFile and indicate that both flaws can significantly affect confidentiality, integrity, and availability in customer-managed deployments.
1 months ago