Plattform
linux
Komponente
zcashd
Behoben in
6.12.0
CVE-2026-35679 is a security vulnerability affecting Zcashd versions prior to 6.12.0. This flaw allows invalid transactions to be accepted under specific circumstances, potentially enabling attackers to drain user funds from the Sprout pool. The vulnerability stems from inadequate verification of Sprout proofs, a critical component of Zcash's privacy features. Users are strongly advised to upgrade to version 6.12.0 to mitigate this risk.
CVE-2026-35679 in zcashd, affecting versions prior to 6.12.0, allows invalid transactions to be accepted under certain conditions. Specifically, the software was not always correctly verifying Sprout proofs. This could have allowed an attacker to craft fraudulent transactions that, if successfully exploited, could result in the draining of user funds from the Sprout pool. The severity of this issue lies in the potential direct financial impact to Zcash users utilizing the Sprout protocol. While no active exploits have been reported, the existence of this vulnerability represents a significant security risk to the Zcash network.
Exploitation of this vulnerability requires a deep understanding of the Sprout protocol and the ability to craft malicious transactions that bypass proof verification. While the technical complexity may be high, the potential reward for an attacker (draining funds from the Sprout pool) is significant. Successful exploitation is believed to involve the creation of forged Sprout proofs or the manipulation of transaction data to deceive the zcashd node. The lack of a KEV (Knowledge Exploitation Verification) indicates that, to date, there has been no publicly confirmed active exploitation of this vulnerability, but the possibility exists and should be taken seriously.
Users running Zcashd nodes in versions 0.0 through 6.11.0 are at risk. This includes individuals participating in the Zcash Sprout pool, as well as those running full nodes for privacy and transaction validation. Those relying on older, unpatched Zcashd installations are particularly vulnerable.
• linux / server:
journalctl -u zcashd -g 'Sprout proof verification failed'• linux / server:
ps aux | grep -i zcashd | grep -i sproutdisclosure
Exploit-Status
EPSS
0.01% (1% Perzentil)
CISA SSVC
CVSS-Vektor
The solution to mitigate CVE-2026-35679 is to upgrade to version 6.12.0 or higher of zcashd. This update includes fixes that ensure proper verification of Sprout proofs, preventing the acceptance of invalid transactions. All zcashd users are strongly encouraged to update their nodes as soon as possible. Additionally, it is important to monitor the Zcash network for any suspicious activity. For users unable to upgrade immediately, consider taking additional precautions, such as reducing the amount of funds held in the Sprout pool and increasing vigilance over transactions.
Actualice a la versión 6.12.0 o posterior para corregir la falla de verificación de las pruebas Sprout. Esta actualización asegura que las transacciones inválidas no puedan ser aceptadas, protegiendo así los fondos de los usuarios en el Sprout pool.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
Sprout ist ein Datenschutzprotokoll für Zcash, das es Benutzern ermöglicht, den Betrag und den Absender/Empfänger ihrer Transaktionen zu verschleiern.
Wenn Sie das Sprout-Protokoll verwenden und nicht auf Version 6.12.0 oder höher aktualisieren, riskieren Sie, Gelder zu verlieren.
Sie können die aktualisierte Version von der offiziellen Zcash-Website herunterladen: [https://zcash.io/](https://zcash.io/)
Wenn Sie vermuten, dass Ihr Knoten kompromittiert wurde, stoppen Sie den Knoten sofort, ändern Sie alle Ihre mit Zcash verbundenen Passwörter und wenden Sie sich an die Zcash-Community, um Hilfe zu erhalten.
Sie können die Version von zcashd überprüfen, indem Sie den Befehl zcashd -version in der Befehlszeile ausführen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.