NextGuard
Back to blog
CVSS 9.5CVE-2026-34202CVE-2026-34377

Critical: Zebra DoS and Consensus Vulnerabilities (CVE-2026-34202, 34377)

Critical vulnerabilities in Zebra (CVE-2026-34202, CVE-2026-34377) allow for remote DoS and consensus failure. Upgrade to Zebra 4.3.0 immediately to mitigate these risks.

Published on

Two critical vulnerabilities have been discovered in Zebra, a Rust-based Zcash node implementation. These flaws could allow for remote denial-of-service attacks and consensus failures, potentially leading to network splits. Users running affected versions should upgrade to Zebra 4.3.0 immediately to mitigate these risks.

The highest CVSS score is 9.5, indicating a critical vulnerability exploitable remotely.

What is Zebrad?

Zebrad is a Rust implementation of a Zcash node, designed to provide an alternative to the official `zcashd` client. It participates in the Zcash network by validating transactions and blocks, maintaining a local copy of the blockchain, and relaying network traffic. Zebrad aims to improve performance, security, and accessibility within the Zcash ecosystem. To learn more, search all zebrad CVEs.

CVE-2026-34202: Zebra Node Crash via Crafted V5 Transactions

CVSS9.5
Affected versionsAll Zebra versions supporting V5 transactions (Network Upgrade 5 and later) prior to version 4.3.0 are affected.

Critical: Remote, unauthenticated denial of service vulnerability.

EPSS score of 0.187 suggests a low probability of exploitation.

A remote, unauthenticated attacker can cause a Zebra node to crash by sending a specially crafted V5 transaction. The vulnerability lies in the lazy validation of transaction fields, leading to a panic during transaction ID calculation.

How to fix CVE-2026-34202 in Zebrad

Patch immediately
  1. 1.Upgrade your Zebra installation to version 4.3.0 or later.
Update Zebrad
cargo update zebrad

Workaround: If an immediate upgrade is not possible, ensure your RPC port is not exposed to the Internet. Restrict P2P port access to trusted peers.

NextGuard automatically flags CVE-2026-34202 if zebrad appears in any of your monitored projects — no manual lookup required.

CVE-2026-34377: Zebra Consensus Failure due to Improper V5 Transaction Verification

CVSS7.5
Affected versionsAll Zebra versions supporting V5 transactions (Network Upgrade 5 and later) prior to version 4.3.0 are affected.

High: Consensus failure leading to network partition.

EPSS score of 0.025 suggests a very low probability of exploitation.

A malicious miner could induce a consensus split by crafting a block with a modified V5 transaction that shares a transaction ID with a valid transaction in a Zebra node's mempool. This bypasses the `check_v5_auth()` call, leading the vulnerable node to accept an invalid block.

How to fix CVE-2026-34377 in Zebrad

Patch immediately
  1. 1.Upgrade your Zebra installation to version 4.3.0 or later.
Update Zebrad
cargo update zebrad

Workaround: There are no known workarounds for this issue. Immediate upgrade is the only way to ensure the node remains on the correct consensus path.

NextGuard automatically flags CVE-2026-34377 if zebrad appears in any of your monitored projects — no manual lookup required.

Stay ahead of rust vulnerabilities

Proactively detect and remediate rust vulnerabilities in your projects. Start to monitor your rust dependencies today.

Compare Plans

Frequently asked questions

These vulnerabilities pose significant risks to Zebra nodes and the Zcash network. Ensure you upgrade to version 4.3.0 immediately to mitigate these issues and maintain network stability. You can see all rust vulnerabilities on our platform.

Related topics

ZcashRustDenial of ServiceConsensus FailureCryptography