Platform
rust
Component
zebrad
Fixed in
4.3.1
5.0.2
4.3.0
CVE-2026-34377 describes a consensus failure vulnerability within Zebra, a Zcash node implementation. This flaw allows a malicious miner to induce a consensus split by exploiting a logic error in the transaction verification cache. Affected versions include those prior to 4.3.0; upgrading to 4.3.0 resolves the issue.
The core impact of CVE-2026-34377 is the potential for a consensus split within the Zcash network. An attacker can craft authorization data that, while matching a valid transaction's txid, contains invalid data. This can trick vulnerable Zebra nodes into accepting an invalid block, causing them to diverge from the main Zcash network. While this vulnerability does not allow attackers to directly accept invalid transactions, it can isolate vulnerable nodes, disrupting their ability to participate in the network and potentially leading to chain instability. The blast radius is limited to Zebra nodes running vulnerable versions, but the impact on network consensus is significant.
CVE-2026-34377 was published on 2026-03-30. There are currently no publicly available proof-of-concept exploits. The vulnerability's complexity suggests a medium probability of exploitation (EPSS score pending evaluation). It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.02% (5% percentile)
CISA SSVC
The primary mitigation for CVE-2026-34377 is to upgrade Zebra to version 4.3.0 or later, which contains the fix for this consensus failure. If an immediate upgrade is not feasible, consider implementing network monitoring to detect unusual block acceptance patterns. While a WAF or proxy cannot directly mitigate this vulnerability, monitoring network traffic for suspicious transaction patterns could provide early warning signs. After upgrading, confirm the fix by verifying that Zebra nodes consistently accept blocks from the main Zcash network and do not exhibit signs of consensus divergence.
Update to version 4.3.0 of zebrad or version 5.0.1 of zebra-consensus to fix the vulnerability. This will prevent a potential consensus split due to improper verification of V5 transactions. The update ensures that your Zebra node rejects invalid blocks and maintains consistency with the Zcash network.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-34377 is a HIGH severity vulnerability affecting Zebra Zcash nodes versions ≤4.3.0. It allows a malicious miner to induce a consensus split by exploiting a flaw in transaction verification, potentially isolating vulnerable nodes.
You are affected if you are running Zebra Zcash Node version 4.3.0 or earlier. Check your version and upgrade immediately to mitigate the risk.
Upgrade Zebra Zcash Node to version 4.3.0 or later. This resolves the consensus failure vulnerability and prevents potential network disruptions.
As of the current date, there are no publicly known active exploits for CVE-2026-34377. However, the vulnerability's potential impact warrants immediate patching.
Refer to the official Zebra project website and GitHub repository for the latest security advisories and release notes related to CVE-2026-34377.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your Cargo.lock file and we'll tell you instantly if you're affected.