CVE-2026-41583: CWE-573: Improper Following of Specification by Caller in ZcashFoundation zebra
ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.3.1 and prior to zebra-script version 5.0.2, after a refactoring, Zebra failed to validate a consensus rule that restricted the possible values of sighash hash types for V5 transactions which were enabled in the NU5 network upgrade. Zebra nodes could thus accept and eventually mine a block that would be considered invalid by zcashd nodes, creating a consensus split between Zebra and zcashd nodes. In a similar vein, for V4 transactions, Zebra mistakenly used the "canonical" hash type when computing the sighash while zcashd (correctly per the spec) uses the raw value, which could also crate a consensus split. This issue has been patched in zebrad version 4.3.1 and zebra-script version 5.0.2.
AI Analysis
Technical Summary
Zebra, a Zcash node implementation written in Rust, contained a vulnerability due to improper following of the consensus specification (CWE-573). After a refactoring, Zebra failed to validate the allowed sighash hash types for V5 transactions enabled by the NU5 upgrade, allowing acceptance and mining of blocks invalid to zcashd nodes. Additionally, for V4 transactions, Zebra used a 'canonical' hash type for sighash computation instead of the raw value as specified, potentially causing consensus divergence. This vulnerability could lead to a consensus split between Zebra and zcashd nodes. The issue is fixed in zebrad version 4.3.1 and zebra-script version 5.0.2.
Potential Impact
The vulnerability can cause Zebra nodes to accept and mine blocks that are invalid according to the official zcashd node consensus rules, resulting in a consensus split. Such a split undermines network integrity and could disrupt blockchain operations for users relying on Zebra nodes. The CVSS 4.0 score is 9.3 (critical), reflecting high impact due to network-wide consensus disruption without requiring privileges or user interaction. No exploits are currently known in the wild.
Mitigation Recommendations
A fix is available and has been released in zebrad version 4.3.1 and zebra-script version 5.0.2. Users and operators of Zebra nodes should upgrade to these versions or later to resolve the vulnerability and prevent consensus splits. Patch status beyond these versions is not explicitly stated but assumed included. No other mitigation actions are indicated.
CVE-2026-41583: CWE-573: Improper Following of Specification by Caller in ZcashFoundation zebra
Description
ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.3.1 and prior to zebra-script version 5.0.2, after a refactoring, Zebra failed to validate a consensus rule that restricted the possible values of sighash hash types for V5 transactions which were enabled in the NU5 network upgrade. Zebra nodes could thus accept and eventually mine a block that would be considered invalid by zcashd nodes, creating a consensus split between Zebra and zcashd nodes. In a similar vein, for V4 transactions, Zebra mistakenly used the "canonical" hash type when computing the sighash while zcashd (correctly per the spec) uses the raw value, which could also crate a consensus split. This issue has been patched in zebrad version 4.3.1 and zebra-script version 5.0.2.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Zebra, a Zcash node implementation written in Rust, contained a vulnerability due to improper following of the consensus specification (CWE-573). After a refactoring, Zebra failed to validate the allowed sighash hash types for V5 transactions enabled by the NU5 upgrade, allowing acceptance and mining of blocks invalid to zcashd nodes. Additionally, for V4 transactions, Zebra used a 'canonical' hash type for sighash computation instead of the raw value as specified, potentially causing consensus divergence. This vulnerability could lead to a consensus split between Zebra and zcashd nodes. The issue is fixed in zebrad version 4.3.1 and zebra-script version 5.0.2.
Potential Impact
The vulnerability can cause Zebra nodes to accept and mine blocks that are invalid according to the official zcashd node consensus rules, resulting in a consensus split. Such a split undermines network integrity and could disrupt blockchain operations for users relying on Zebra nodes. The CVSS 4.0 score is 9.3 (critical), reflecting high impact due to network-wide consensus disruption without requiring privileges or user interaction. No exploits are currently known in the wild.
Mitigation Recommendations
A fix is available and has been released in zebrad version 4.3.1 and zebra-script version 5.0.2. Users and operators of Zebra nodes should upgrade to these versions or later to resolve the vulnerability and prevent consensus splits. Patch status beyond these versions is not explicitly stated but assumed included. No other mitigation actions are indicated.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-21T14:15:21.959Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69fdff95cbff5d8610e6d6f9
Added to database: 5/8/2026, 3:21:57 PM
Last enriched: 5/8/2026, 3:37:01 PM
Last updated: 5/9/2026, 6:15:12 AM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.