平台
rust
组件
zebrad
修复版本
4.3.1
5.0.2
4.3.0
CVE-2026-34377 describes a consensus failure vulnerability within Zebra, a Zcash node implementation. This flaw allows a malicious miner to induce a consensus split by exploiting a logic error in the transaction verification cache. Affected versions include those prior to 4.3.0; upgrading to 4.3.0 resolves the issue.
The core impact of CVE-2026-34377 is the potential for a consensus split within the Zcash network. An attacker can craft authorization data that, while matching a valid transaction's txid, contains invalid data. This can trick vulnerable Zebra nodes into accepting an invalid block, causing them to diverge from the main Zcash network. While this vulnerability does not allow attackers to directly accept invalid transactions, it can isolate vulnerable nodes, disrupting their ability to participate in the network and potentially leading to chain instability. The blast radius is limited to Zebra nodes running vulnerable versions, but the impact on network consensus is significant.
CVE-2026-34377 was published on 2026-03-30. There are currently no publicly available proof-of-concept exploits. The vulnerability's complexity suggests a medium probability of exploitation (EPSS score pending evaluation). It is not currently listed on the CISA KEV catalog.
Zcash node operators running Zebra are at risk, particularly those using older, unpatched versions. This includes individuals and organizations participating in the Zcash network who rely on Zebra for transaction validation and block propagation. Those with limited resources or delayed upgrade cycles are especially vulnerable.
• linux / server:
journalctl -u zebra | grep -i "consensus split"• generic web:
curl -s https://<zebra_node_ip>/ | grep -i "Zebra version"disclosure
漏洞利用状态
EPSS
0.02% (5% 百分位)
CISA SSVC
The primary mitigation for CVE-2026-34377 is to upgrade Zebra to version 4.3.0 or later, which contains the fix for this consensus failure. If an immediate upgrade is not feasible, consider implementing network monitoring to detect unusual block acceptance patterns. While a WAF or proxy cannot directly mitigate this vulnerability, monitoring network traffic for suspicious transaction patterns could provide early warning signs. After upgrading, confirm the fix by verifying that Zebra nodes consistently accept blocks from the main Zcash network and do not exhibit signs of consensus divergence.
Actualice a la versión 4.3.0 de zebrad o a la versión 5.0.1 de zebra-consensus para corregir la vulnerabilidad. Esto evitará una posible división de consenso debido a la verificación incorrecta de transacciones V5. La actualización asegura que su nodo Zebra rechace bloques inválidos y mantenga la consistencia con la red Zcash.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-34377 is a HIGH severity vulnerability affecting Zebra Zcash nodes versions ≤4.3.0. It allows a malicious miner to induce a consensus split by exploiting a flaw in transaction verification, potentially isolating vulnerable nodes.
You are affected if you are running Zebra Zcash Node version 4.3.0 or earlier. Check your version and upgrade immediately to mitigate the risk.
Upgrade Zebra Zcash Node to version 4.3.0 or later. This resolves the consensus failure vulnerability and prevents potential network disruptions.
As of the current date, there are no publicly known active exploits for CVE-2026-34377. However, the vulnerability's potential impact warrants immediate patching.
Refer to the official Zebra project website and GitHub repository for the latest security advisories and release notes related to CVE-2026-34377.
上传你的 Cargo.lock 文件,立即知道是否受影响。