Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

GHSA-gf9r-m956-97qx: zebrad has consensus divergence via P2SH sigop undercount in pure-Rust disabled-opcode parser

0
Critical
Published: 07/02/2026 (07/02/2026, 19:43:36 UTC)
Source: GCVE Database
Product: zebra-script

Description

A consensus divergence vulnerability exists in zebrad up to and including v4.4.1 due to an incorrect P2SH sigop counting implementation in its pure-Rust disabled-opcode parser. This causes Zebra nodes to accept blocks that zcashd nodes reject when the block-wide MAX_BLOCK_SIGOPS threshold is exceeded on one side but not the other. An attacker can exploit this by broadcasting transactions with malicious redeem scripts containing disabled opcodes followed by sigops, causing a chain split between Zebra and zcashd validators. The issue is patched in Zebra 4.4.2 by routing the P2SH sigop counter through the same C++ FFI used by the legacy sigop counter. No configuration workaround exists; upgrading is required to remediate.

CVSS v4.0

Attack Vector
Network
Attack Complexity
Low
Attack Requirements
None
Privileges Required
None
User Interaction
None
Vuln. Confidentiality
None
Vuln. Integrity
High
Vuln. Availability
None
Subsq. Confidentiality
None
Subsq. Integrity
High
Subsq. Availability
High
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:H

Affected software

crates.ioghsa
zebra-script
Affected versions
<7.0.0
crates.ioghsa
zebrad
Affected versions
<4.5.0

Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/02/2026, 23:11:23 UTC

Technical Analysis

The vulnerability arises from Zebra's P2SH sigop counter using a pure-Rust code path that short-circuits on disabled opcodes, returning a partial sigop count of zero for any sigops following the disabled opcode. In contrast, the reference implementation zcashd counts through disabled opcodes during static sigop analysis. This discrepancy leads to consensus divergence when the MAX_BLOCK_SIGOPS threshold (20,000) is crossed on one side but not the other. An attacker can exploit this by broadcasting transactions spending P2SH outputs with redeem scripts containing disabled opcodes followed by multiple OP_CHECKMULTISIG opcodes, causing Zebra to undercount sigops and accept blocks that zcashd rejects. The vulnerability affects all default configurations of zebrad up to v4.4.1 on any network shared with zcashd nodes. The issue is fixed in Zebra 4.4.2 by changing the P2SH sigop counting to use the C++ FFI path consistent with legacy sigop counting.

Potential Impact

This vulnerability can cause a chain split between Zebra and zcashd validators on networks where both participate. Zebra nodes may accept blocks containing transactions with malicious redeem scripts that zcashd nodes reject due to exceeding the sigop limit. Approximately 30% of the current network hashrate is estimated to be Zebra miners, so this can lead to significant network divergence. The attacker does not require mining capability or special privileges; only the ability to broadcast crafted transactions. The cost to the attacker is limited to transaction fees. This undermines network consensus and stability.

Mitigation Recommendations

A patch is available in Zebra version 4.4.2 that fixes the P2SH sigop counting to use the C++ FFI path consistent with the reference implementation. There is no configuration-level workaround. Operators should upgrade to Zebra 4.4.2 or later as soon as possible to prevent chain splits and consensus divergence.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Gcve Source
db.gcve.eu
Osv Id
GHSA-gf9r-m956-97qx
Osv Schema Version
1.4.0
Aliases
["CVE-2026-52735"]
Ecosystems
["crates.io"]
Database Specific Severity
CRITICAL
Cvss Version
4.0

Threat ID: 6a46ecb627e9c7971943c9b1

Added to database: 07/02/2026, 22:56:54 UTC

Last enriched: 07/02/2026, 23:11:23 UTC

Last updated: 07/02/2026, 23:11:23 UTC

Views: 2

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses