583 matches found
CVE-2026-41585
ZEBRA is a Zcash node written entirely in Rust. From zebrad versions 2.2.0 to before 4.3.1 and from zebra-rpc versions 1.0.0-beta.45 to before 6.0.2, a vulnerability in Zebra's JSON-RPC HTTP middleware allows an authenticated RPC client to cause a Zebra node to crash by disconnecting before the...
CVE-2026-41584
ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.3.1 and prior to zebra-chain version 6.0.2, Orchard transactions contain a rk field which is a randomized validating key and also an elliptic curve point. The Zcash specification allows the field to be the identity a "zero"...
CVE-2026-44499 ZEBRA: Permanent Block Discovery Halt via Gossip Queue Saturation and Syncer Poisoning
ZEBRA is a Zcash node written entirely in Rust. Prior to version 4.4.0, a composite denial-of-service vulnerability in Zebra's block discovery pipeline allows an unauthenticated remote attacker to permanently halt all new block discovery on a targeted node. The attack exploits three independent...
CVE-2026-44499 ZEBRA: Permanent Block Discovery Halt via Gossip Queue Saturation and Syncer Poisoning
ZEBRA is a Zcash node written entirely in Rust. Prior to version 4.4.0, a composite denial-of-service vulnerability in Zebra's block discovery pipeline allows an unauthenticated remote attacker to permanently halt all new block discovery on a targeted node. The attack exploits three independent...
CVE-2026-44499
ZEBRA is a Zcash node written entirely in Rust. Prior to version 4.4.0, a composite denial-of-service vulnerability in Zebra's block discovery pipeline allows an unauthenticated remote attacker to permanently halt all new block discovery on a targeted node. The attack exploits three independent...
CVE-2026-44499
ZEBRA (Zcash node, Rust) before 4.4.0 contains a composite DoS in the block discovery pipeline. An unauthenticated remote attacker can, via a single TCP connection, exploit three independent weaknesses in the gossip, syncer, and download subsystems to create a monotonically growing block deficit ...
CVE-2026-44499 ZEBRA: Permanent Block Discovery Halt via Gossip Queue Saturation and Syncer Poisoning
ZEBRA is a Zcash node written entirely in Rust. Prior to version 4.4.0, a composite denial-of-service vulnerability in Zebra's block discovery pipeline allows an unauthenticated remote attacker to permanently halt all new block discovery on a targeted node. The attack exploits three independent...
CVE-2026-44500 ZEBRA: Allocation Amplification in Inbound Network Deserializers
ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.4.0, prior to zebra-chain version 7.0.0, and prior to zebra-network version 6.0.0, several inbound deserialization paths in Zebra allocated buffers sized against generic transport or block-size ceilings before the tighter...
CVE-2026-44500 ZEBRA: Allocation Amplification in Inbound Network Deserializers
ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.4.0, prior to zebra-chain version 7.0.0, and prior to zebra-network version 6.0.0, several inbound deserialization paths in Zebra allocated buffers sized against generic transport or block-size ceilings before the tighter...
CVE-2026-44500
ZCV-64500: Allocation amplification in Zebra inbound deserializers affects Zebra nodes prior to 4.4.0 across zebrad, zebra-chain, and zebra-network. Inbound messages (headers, blocks, transactions) could be deserialized using generic transport or block-size ceilings, causing unauthenticated/post-...
CVE-2026-44500 ZEBRA: Allocation Amplification in Inbound Network Deserializers
ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.4.0, prior to zebra-chain version 7.0.0, and prior to zebra-network version 6.0.0, several inbound deserialization paths in Zebra allocated buffers sized against generic transport or block-size ceilings before the tighter...
CVE-2026-44498
CVE-2026-44498 affects ZEBRA (Zcash node written in Rust). Prior to version 4.4.0, Zebra’s block validator undercounted sigops, specifically: (A) Coinbase legacy sigops were not charged, hiding up to ~98 sigops, and (B) P2SH sigops were not accumulated during block validation. This caused blocks ...
CVE-2026-44498
ZEBRA is a Zcash node written entirely in Rust. Prior to version 4.4.0, Zebra's block validator undercounts transparent signature operations against the 20000-sigop block limit MAXBLOCKSIGOPS, allowing it to accept blocks that zcashd rejects with bad-blk-sigops. A miner who produces such a block...
CVE-2026-44498 ZEBRA: Block Validator Undercounts Coinbase and P2SH Sigops
ZEBRA is a Zcash node written entirely in Rust. Prior to version 4.4.0, Zebra's block validator undercounts transparent signature operations against the 20000-sigop block limit MAXBLOCKSIGOPS, allowing it to accept blocks that zcashd rejects with bad-blk-sigops. A miner who produces such a block...
CVE-2026-44498 ZEBRA: Block Validator Undercounts Coinbase and P2SH Sigops
ZEBRA is a Zcash node written entirely in Rust. Prior to version 4.4.0, Zebra's block validator undercounts transparent signature operations against the 20000-sigop block limit MAXBLOCKSIGOPS, allowing it to accept blocks that zcashd rejects with bad-blk-sigops. A miner who produces such a block...
CVE-2026-44498 ZEBRA: Block Validator Undercounts Coinbase and P2SH Sigops
ZEBRA is a Zcash node written entirely in Rust. Prior to version 4.4.0, Zebra's block validator undercounts transparent signature operations against the 20000-sigop block limit MAXBLOCKSIGOPS, allowing it to accept blocks that zcashd rejects with bad-blk-sigops. A miner who produces such a block...
CVE-2026-44497 ZEBRA: Consensus Divergence in Transparent Sighash Hash-Type Handling due to Stale Buffer
ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.4.0 and prior to zebra-script version 6.0.0, the fix for CVE-2026-41583 introduced a separate issue due to insufficient error handling of the case where the sighash type is invalid, during sighash computation. Instead of...
CVE-2026-44497
ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.4.0 and prior to zebra-script version 6.0.0, the fix for CVE-2026-41583 introduced a separate issue due to insufficient error handling of the case where the sighash type is invalid, during sighash computation. Instead of...
CVE-2026-44497 ZEBRA: Consensus Divergence in Transparent Sighash Hash-Type Handling due to Stale Buffer
ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.4.0 and prior to zebra-script version 6.0.0, the fix for CVE-2026-41583 introduced a separate issue due to insufficient error handling of the case where the sighash type is invalid, during sighash computation. Instead of...
CVE-2026-44497
ZEBRA/ZEC network node software is affected by CVE-2026-44497 due to insufficient error handling when an invalid sighash type is encountered during sighash computation. Prior to zebrad version 4.4.0 and zebra-script version 6.0.0, this could cause the normal flow to resume with the input sighash ...