Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

GHSA-hhm7-qrv5-h4r6: Zebra: Repeated Non-Finalized Shielded Transaction Aborts Zebra Before Duplicate-Nullifier Rejection

0
Medium
Published: 07/02/2026 (07/02/2026, 19:46:35 UTC)
Source: GCVE Database
Product: zebra-state

Description

Zebra versions up to and including v4.4.1 are vulnerable to a denial-of-service issue when processing blocks past the checkpoint height on networks with NU5 or later activated. The vulnerability arises because the node process aborts due to an assertion failure triggered by repeated shielded transactions in non-finalized state before duplicate-nullifier rejection occurs. This causes the entire node to crash and requires a manual restart. There is no configuration workaround, and the issue is fixed in zebra-state 7.0.0 and zebrad 4.5.0.

CVSS v3.1

Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected software

crates.ioghsa
zebra-state
Affected versions
<7.0.0
crates.ioghsa
zebrad
Affected versions
<4.5.0

Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/02/2026, 23:10:57 UTC

Technical Analysis

The vulnerability in Zebra's non-finalized state handling occurs because the transaction-location index (`tx_loc_by_hash`) is updated before the duplicate shielded-nullifier check. When a child block repeats a shielded transaction from its non-finalized parent, an assertion designed to enforce transaction uniqueness triggers a panic and aborts the node process instead of cleanly rejecting the block. This is due to the ordering of index updates and validation checks in `Chain::push`. The block transaction verifier does not perform the best-chain nullifier query for block transactions in non-finalized state, allowing this condition to cause a process abort. Two attack models exist: one where an attacker mines two consecutive blocks with a repeated shielded transaction, and another where an attacker broadcasts a shielded transaction and mines the immediate child block repeating it. Both cause a denial-of-service by crashing the node process.

Potential Impact

A malicious block producer can cause targeted Zebra nodes to crash and abort their process, resulting in denial-of-service and requiring node restarts. This can be exploited repeatedly to keep nodes offline for extended periods. The issue affects node liveness but does not cause consensus divergence, as other implementations like zcashd reject the invalid block cleanly. The attack requires the child block to repeat a shielded-only V5 transaction from a non-finalized parent block. The frequency of attack opportunities depends on the attacker's hashrate, with higher hashrates enabling more frequent attacks.

Mitigation Recommendations

An official fix is available in zebra-state 7.0.0 and zebrad 4.5.0, which replaces the assertion with an error return for duplicate transactions, preventing process aborts. There is no configuration-level workaround. Users should upgrade to these fixed versions to prevent denial-of-service crashes caused by repeated shielded transactions in non-finalized state.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Gcve Source
db.gcve.eu
Osv Id
GHSA-hhm7-qrv5-h4r6
Osv Schema Version
1.4.0
Aliases
["CVE-2026-52739"]
Ecosystems
["crates.io"]
Database Specific Severity
MODERATE
Cvss Version
3.1

Threat ID: 6a46ecb627e9c7971943c9a2

Added to database: 07/02/2026, 22:56:54 UTC

Last enriched: 07/02/2026, 23:10:57 UTC

Last updated: 07/02/2026, 23:10:57 UTC

Views: 2

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses