CVE-2026-34377 is a vulnerability classified under CWE-347 (Improper Verification of Cryptographic Signature) affecting the Zebra node software used in the Zcash blockchain network. Zebra is a Rust-based implementation of a Zcash node, responsible for transaction validation and consensus participation. Prior to zebrad version 4.3.0 and zebra-consensus version 5.0.1, a logic error existed in the transaction verification cache mechanism. Specifically, the cache could be tricked by a malicious miner who submits a block containing a transaction with a valid transaction ID (txid) but invalid authorization data (such as signatures). Due to improper verification, vulnerable Zebra nodes would accept such a block as valid, while other nodes (including updated Zebra nodes and the original Zcashd nodes) would reject it. This discrepancy causes a consensus split, where parts of the network disagree on the blockchain state. Although invalid transactions are not accepted, the split threatens network stability and consensus integrity. The vulnerability requires no user interaction and can be exploited remotely by miners with the ability to propose blocks. The CVSS 4.0 score of 8.4 reflects the high impact on integrity and availability, with no privileges or user interaction needed but requiring high privileges (miner role). The flaw has been addressed in zebrad 4.3.0 and zebra-consensus 5.0.1 by correcting the verification logic to ensure authorization data is properly validated alongside transaction IDs, preventing acceptance of invalid blocks and eliminating the risk of consensus splits.

The primary impact of CVE-2026-34377 is the potential for a consensus split within the Zcash blockchain network. Consensus splits can cause network forks where different nodes disagree on the canonical blockchain state, leading to transaction processing delays, double-spend risks, and undermining trust in the blockchain's integrity. While invalid transactions are not accepted, the network disruption can degrade service availability and reliability for users and businesses relying on Zcash for payments, privacy-preserving transactions, or smart contract execution. Miners exploiting this vulnerability could destabilize the network, potentially causing economic losses and reputational damage to organizations operating Zebra nodes. The impact is particularly significant for exchanges, wallet providers, and financial institutions that depend on consistent blockchain state and consensus. The vulnerability does not directly compromise confidentiality but affects integrity and availability of the blockchain consensus.

Organizations should immediately upgrade all Zebra node software to zebrad version 4.3.0 or later and zebra-consensus version 5.0.1 or later to apply the patch that fixes the signature verification logic. Network operators should audit their node versions and ensure no vulnerable instances remain active. Additionally, monitoring for unusual blockchain forks or consensus anomalies can help detect exploitation attempts early. Miners should be restricted and monitored to prevent unauthorized block proposals. Implementing network-level controls to isolate or limit access to mining nodes can reduce risk. Organizations may also consider running multiple node implementations (e.g., Zebra and Zcashd) in parallel to cross-validate blockchain state and detect inconsistencies. Regularly reviewing and testing cryptographic verification logic in blockchain software is recommended to prevent similar issues. Finally, maintaining up-to-date software and subscribing to security advisories from ZcashFoundation is essential for timely response to future vulnerabilities.