GHSA-hhm7-qrv5-h4r6: Zebra: Repeated Non-Finalized Shielded Transaction Aborts Zebra Before Duplicate-Nullifier Rejection
Zebra versions up to and including v4.4.1 are vulnerable to a denial-of-service issue when processing blocks past the checkpoint height on networks with NU5 or later activated. The vulnerability arises because the node process aborts due to an assertion failure triggered by repeated shielded transactions in non-finalized state before duplicate-nullifier rejection occurs. This causes the entire node to crash and requires a manual restart. There is no configuration workaround, and the issue is fixed in zebra-state 7.0.0 and zebrad 4.5.0.
AI Analysis
Technical Summary
The vulnerability in Zebra's non-finalized state handling occurs because the transaction-location index (`tx_loc_by_hash`) is updated before the duplicate shielded-nullifier check. When a child block repeats a shielded transaction from its non-finalized parent, an assertion designed to enforce transaction uniqueness triggers a panic and aborts the node process instead of cleanly rejecting the block. This is due to the ordering of index updates and validation checks in `Chain::push`. The block transaction verifier does not perform the best-chain nullifier query for block transactions in non-finalized state, allowing this condition to cause a process abort. Two attack models exist: one where an attacker mines two consecutive blocks with a repeated shielded transaction, and another where an attacker broadcasts a shielded transaction and mines the immediate child block repeating it. Both cause a denial-of-service by crashing the node process.
Potential Impact
A malicious block producer can cause targeted Zebra nodes to crash and abort their process, resulting in denial-of-service and requiring node restarts. This can be exploited repeatedly to keep nodes offline for extended periods. The issue affects node liveness but does not cause consensus divergence, as other implementations like zcashd reject the invalid block cleanly. The attack requires the child block to repeat a shielded-only V5 transaction from a non-finalized parent block. The frequency of attack opportunities depends on the attacker's hashrate, with higher hashrates enabling more frequent attacks.
Mitigation Recommendations
An official fix is available in zebra-state 7.0.0 and zebrad 4.5.0, which replaces the assertion with an error return for duplicate transactions, preventing process aborts. There is no configuration-level workaround. Users should upgrade to these fixed versions to prevent denial-of-service crashes caused by repeated shielded transactions in non-finalized state.
GHSA-hhm7-qrv5-h4r6: Zebra: Repeated Non-Finalized Shielded Transaction Aborts Zebra Before Duplicate-Nullifier Rejection
Description
Zebra versions up to and including v4.4.1 are vulnerable to a denial-of-service issue when processing blocks past the checkpoint height on networks with NU5 or later activated. The vulnerability arises because the node process aborts due to an assertion failure triggered by repeated shielded transactions in non-finalized state before duplicate-nullifier rejection occurs. This causes the entire node to crash and requires a manual restart. There is no configuration workaround, and the issue is fixed in zebra-state 7.0.0 and zebrad 4.5.0.
CVSS v3.1
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in Zebra's non-finalized state handling occurs because the transaction-location index (`tx_loc_by_hash`) is updated before the duplicate shielded-nullifier check. When a child block repeats a shielded transaction from its non-finalized parent, an assertion designed to enforce transaction uniqueness triggers a panic and aborts the node process instead of cleanly rejecting the block. This is due to the ordering of index updates and validation checks in `Chain::push`. The block transaction verifier does not perform the best-chain nullifier query for block transactions in non-finalized state, allowing this condition to cause a process abort. Two attack models exist: one where an attacker mines two consecutive blocks with a repeated shielded transaction, and another where an attacker broadcasts a shielded transaction and mines the immediate child block repeating it. Both cause a denial-of-service by crashing the node process.
Potential Impact
A malicious block producer can cause targeted Zebra nodes to crash and abort their process, resulting in denial-of-service and requiring node restarts. This can be exploited repeatedly to keep nodes offline for extended periods. The issue affects node liveness but does not cause consensus divergence, as other implementations like zcashd reject the invalid block cleanly. The attack requires the child block to repeat a shielded-only V5 transaction from a non-finalized parent block. The frequency of attack opportunities depends on the attacker's hashrate, with higher hashrates enabling more frequent attacks.
Mitigation Recommendations
An official fix is available in zebra-state 7.0.0 and zebrad 4.5.0, which replaces the assertion with an error return for duplicate transactions, preventing process aborts. There is no configuration-level workaround. Users should upgrade to these fixed versions to prevent denial-of-service crashes caused by repeated shielded transactions in non-finalized state.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- GHSA-hhm7-qrv5-h4r6
- Osv Schema Version
- 1.4.0
- Aliases
- ["CVE-2026-52739"]
- Ecosystems
- ["crates.io"]
- Database Specific Severity
- MODERATE
- Cvss Version
- 3.1
Threat ID: 6a46ecb627e9c7971943c9a2
Added to database: 07/02/2026, 22:56:54 UTC
Last enriched: 07/02/2026, 23:10:57 UTC
Last updated: 07/02/2026, 23:10:57 UTC
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.