CVE-2026-34202 | THREATINT

Description

ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.3.0 and zebra-chain version 6.0.1, a vulnerability in Zebra's transaction processing logic allows a remote, unauthenticated attacker to cause a Zebra node to panic (crash). This is triggered by sending a specially crafted V5 transaction that passes initial deserialization but fails during transaction ID calculation. This issue has been patched in zebrad version 4.3.0 and zebra-chain version 6.0.1.

PUBLISHED Reserved 2026-03-26 | Published 2026-03-31 | Updated 2026-03-31 | Assigner GitHub_M

CRITICAL: 9.2CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H

Problem types

CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine

CWE-94: Improper Control of Generation of Code ('Code Injection')

Product status

< 4.3.0

affected

< 6.0.1

affected

References

github.com/.../zebra/security/advisories/GHSA-qp6f-w4r3-h8wg

github.com/ZcashFoundation/zebra/releases/tag/v4.3.0

zfnd.org/...xes-zip-235-support-and-performance-improvements

cve.org (CVE-2026-34202)

nvd.nist.gov (CVE-2026-34202)

Download JSON