Platform
linux
Component
zcashd
Fixed in
6.12.0
CVE-2026-35679 is a security vulnerability affecting Zcashd versions prior to 6.12.0. This flaw allows invalid transactions to be accepted under specific circumstances, potentially enabling attackers to drain user funds from the Sprout pool. The vulnerability stems from inadequate verification of Sprout proofs, a critical component of Zcash's privacy features. Users are strongly advised to upgrade to version 6.12.0 to mitigate this risk.
The primary impact of CVE-2026-35679 is the potential for unauthorized draining of user funds from the Zcash Sprout pool. An attacker exploiting this vulnerability could craft and submit malicious transactions that bypass the intended validation checks. Because Sprout is a privacy-enhancing technology, the attacker could potentially conceal their actions, making detection more difficult. The blast radius extends to any Zcash user utilizing the Sprout pool, as funds are at risk if the node is running a vulnerable version. While the CVSS score is LOW, the potential financial impact on affected users is significant.
CVE-2026-35679 was publicly disclosed on 2026-04-05. There is currently no indication of active exploitation in the wild, and no public proof-of-concept (PoC) code has been released. The vulnerability is not currently listed on the CISA KEV catalog. Given the lack of public exploits and the relatively low CVSS score, the probability of exploitation is considered low to medium.
Exploit Status
EPSS
0.01% (1% percentile)
CISA SSVC
CVSS Vector
The definitive mitigation for CVE-2026-35679 is to upgrade Zcashd to version 6.12.0 or later. This version includes the necessary fixes to properly verify Sprout proofs and prevent the acceptance of invalid transactions. If an immediate upgrade is not feasible due to compatibility concerns or system downtime requirements, consider implementing stricter transaction validation rules at the node level, although this is not a substitute for patching. Monitor Zcashd logs for any unusual transaction patterns or errors related to Sprout proof verification. After upgrading, confirm the fix by attempting to submit a transaction known to be invalid under the vulnerable conditions and verifying that it is rejected.
Update to version 6.12.0 or later to correct the Sprout proof verification flaw. This update ensures that invalid transactions cannot be accepted, protecting user funds in the Sprout pool.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-35679 is a vulnerability in Zcashd versions before 6.12.0 that allows invalid transactions to be accepted, potentially leading to fund draining due to insufficient Sprout proof verification.
Yes, if you are running Zcashd versions 0.0 through 6.11.0, you are affected by this vulnerability. Upgrade to version 6.12.0 or later to mitigate the risk.
The fix is to upgrade Zcashd to version 6.12.0 or later. This version includes the necessary changes to properly verify Sprout proofs.
There is currently no indication of active exploitation in the wild, and no public proof-of-concept code has been released.
Refer to the official Zcash security advisories on the Zcash website or GitHub repository for detailed information and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.