{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34377", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-27T13:43:14.370Z", "datePublished": "2026-03-31T14:05:59.959Z", "dateUpdated": "2026-03-31T17:18:12.932Z"}, "containers": {"cna": {"title": "Zebra has a Consensus Failure due to Improper Verification of V5 Transactions", "problemTypes": [{"descriptions": [{"cweId": "CWE-347", "lang": "en", "description": "CWE-347: Improper Verification of Cryptographic Signature", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "baseScore": 8.4, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H", "version": "4.0"}}], "references": [{"name": "https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-3vmh-33xr-9cqh", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-3vmh-33xr-9cqh"}, {"name": "https://github.com/ZcashFoundation/zebra/releases/tag/v4.3.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/ZcashFoundation/zebra/releases/tag/v4.3.0"}, {"name": "https://zfnd.org/zebra-4-3-0-critical-security-fixes-zip-235-support-and-performance-improvements", "tags": ["x_refsource_MISC"], "url": "https://zfnd.org/zebra-4-3-0-critical-security-fixes-zip-235-support-and-performance-improvements"}], "affected": [{"vendor": "ZcashFoundation", "product": "zebra", "versions": [{"version": "< 4.3.0", "status": "affected"}]}, {"vendor": "ZcashFoundation", "product": "zebra-consensus", "versions": [{"version": "< 5.0.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-31T14:05:59.959Z"}, "descriptions": [{"lang": "en", "value": "ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.3.0 and zebra-consensus version 5.0.1, a logic error in Zebra's transaction verification cache could allow a malicious miner to induce a consensus split. By matching a valid transaction's txid while providing invalid authorization data, a miner could cause vulnerable Zebra nodes to accept an invalid block, leading to a consensus split from the rest of the Zcash network. This would not allow invalid transactions to be accepted but could result in a consensus split between vulnerable Zebra nodes and invulnerable Zebra and Zcashd nodes. This issue has been patched in zebrad version 4.3.0 and zebra-consensus version 5.0.1."}], "source": {"advisory": "GHSA-3vmh-33xr-9cqh", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-31T17:18:05.262524Z", "id": "CVE-2026-34377", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T17:18:12.932Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34377", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-31T17:18:05.262524Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T17:18:09.921Z"}}], "cna": {"title": "Zebra has a Consensus Failure due to Improper Verification of V5 Transactions", "source": {"advisory": "GHSA-3vmh-33xr-9cqh", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.4, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "ZcashFoundation", "product": "zebra", "versions": [{"status": "affected", "version": "< 4.3.0"}]}, {"vendor": "ZcashFoundation", "product": "zebra-consensus", "versions": [{"status": "affected", "version": "< 5.0.1"}]}], "references": [{"url": "https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-3vmh-33xr-9cqh", "name": "https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-3vmh-33xr-9cqh", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/ZcashFoundation/zebra/releases/tag/v4.3.0", "name": "https://github.com/ZcashFoundation/zebra/releases/tag/v4.3.0", "tags": ["x_refsource_MISC"]}, {"url": "https://zfnd.org/zebra-4-3-0-critical-security-fixes-zip-235-support-and-performance-improvements", "name": "https://zfnd.org/zebra-4-3-0-critical-security-fixes-zip-235-support-and-performance-improvements", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.3.0 and zebra-consensus version 5.0.1, a logic error in Zebra's transaction verification cache could allow a malicious miner to induce a consensus split. By matching a valid transaction's txid while providing invalid authorization data, a miner could cause vulnerable Zebra nodes to accept an invalid block, leading to a consensus split from the rest of the Zcash network. This would not allow invalid transactions to be accepted but could result in a consensus split between vulnerable Zebra nodes and invulnerable Zebra and Zcashd nodes. This issue has been patched in zebrad version 4.3.0 and zebra-consensus version 5.0.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-347", "description": "CWE-347: Improper Verification of Cryptographic Signature"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-31T14:05:59.959Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34377", "state": "PUBLISHED", "dateUpdated": "2026-03-31T17:18:12.932Z", "dateReserved": "2026-03-27T13:43:14.370Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-31T14:05:59.959Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:zfnd:zebra:*:*:*:*:*:rust:*:*", "matchCriteriaId": "4B93957D-63A6-4232-8046-FDF593752C05", "versionEndExcluding": "4.3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:zfnd:zebra-consensus:*:*:*:*:*:rust:*:*", "matchCriteriaId": "D958D1C3-B1F2-48EE-A41C-777DE3C0A8B1", "versionEndExcluding": "5.0.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.3.0 and zebra-consensus version 5.0.1, a logic error in Zebra's transaction verification cache could allow a malicious miner to induce a consensus split. By matching a valid transaction's txid while providing invalid authorization data, a miner could cause vulnerable Zebra nodes to accept an invalid block, leading to a consensus split from the rest of the Zcash network. This would not allow invalid transactions to be accepted but could result in a consensus split between vulnerable Zebra nodes and invulnerable Zebra and Zcashd nodes. This issue has been patched in zebrad version 4.3.0 and zebra-consensus version 5.0.1."}], "id": "CVE-2026-34377", "lastModified": "2026-04-06T16:57:21.713", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.4, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-31T15:16:19.233", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/ZcashFoundation/zebra/releases/tag/v4.3.0"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-3vmh-33xr-9cqh"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://zfnd.org/zebra-4-3-0-critical-security-fixes-zip-235-support-and-performance-improvements"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-347"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.3.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "zebra", "source": "cna", "vendor": "ZcashFoundation"}, "product": "zebra", "vendor": "zcashfoundation"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,5.0.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "zebra-consensus", "source": "cna", "vendor": "ZcashFoundation"}, "product": "zebra-consensus", "vendor": "zcashfoundation"}], "analysis": {"en": {"generated_at": "2026-04-06T21:26:55.068740+00:00", "value": {"mitigation_remediation": ["Upgrade zebrad to version 4.3.0 or later", "Upgrade zebra-consensus to version 5.0.1 or later", "Restart the Zebra node to load the updated code", "Verify that the node\u2019s software version is current before allowing new blocks"], "summary": {"action": "Patch immediately", "impact": "Consensus split between vulnerable Zebra nodes and the broader Zcash network"}, "threat_synthesis": {"affected_systems": "ZcashFoundation\u2019s Zebra node software and its accompanying zebra\u2011consensus component are impacted. Any installation of zebrad versions earlier than 4.3.0 or zebra\u2011consensus earlier than 5.0.1 is vulnerable. Modern releases that meet or exceed these version thresholds have the issue patched.", "description_and_impact": "A logic error in Zebra\u2019s transaction verification cache allows a malicious miner to inject a block that appears to contain a valid transaction but carries invalid authorization data. Although the invalid transaction itself is not accepted, the block can be considered valid by vulnerable nodes, resulting in a consensus split with other Zcash nodes. This flaw does not the allow arbitrary code execution or data disclosure but can disrupt network integrity and reduce the reliability of affected nodes.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 8.4, indicating high severity, but the EPSS score is below 1\u202f%, suggesting a low likelihood of exploitation in the wild. It is not listed in the CISA KEV catalog. Exploitation requires a malicious miner generating a forged block that the node will accept due to the cache logic flaw; the attacker must be able to breed the node into accepting the block through normal network communication. The lack of a direct denial of service or privilege escalation barrier means that while system integrity is compromised, the vulnerability may be difficult to trigger without the attacker\u2019s participation in the consensus process."}}}}, "created": "2026-03-31T19:54:35.032377+00:00", "updated": "2026-04-07T08:08:07.639669+00:00", "vendors": ["zcashfoundation", "zcashfoundation$PRODUCT$zebra", "zcashfoundation$PRODUCT$zebra-consensus"]}