{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2026-35679", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "state": "PUBLISHED", "assignerShortName": "mitre", "dateReserved": "2026-04-05T21:26:58.043Z", "datePublished": "2026-04-05T21:26:58.622Z", "dateUpdated": "2026-04-06T14:04:35.190Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "zcashd", "vendor": "Zcash", "versions": [{"lessThan": "6.12.0", "status": "affected", "version": "0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "value": "Zcash zcashd before 6.12.0 allows invalid transactions to be accepted under certain conditions, which potentially could have resulted in the draining of user funds from the Sprout pool. It was sometimes not verifying Sprout proofs."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-358", "description": "CWE-358 Improperly Implemented Security Check for Standard", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-05T21:31:46.130Z"}, "references": [{"url": "https://github.com/zcash/zcash/releases/tag/v6.12.0"}, {"url": "https://github.com/zcash/zcash/commit/db969c63f48f0f9fc518112ed0b7ace1af78b9d0"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-06T14:03:56.794856Z", "id": "CVE-2026-35679", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T14:04:35.190Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-35679", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-06T14:03:56.794856Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T14:04:22.508Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 3.5, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Zcash", "product": "zcashd", "versions": [{"status": "affected", "version": "0", "lessThan": "6.12.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/zcash/zcash/releases/tag/v6.12.0"}, {"url": "https://github.com/zcash/zcash/commit/db969c63f48f0f9fc518112ed0b7ace1af78b9d0"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}, "descriptions": [{"lang": "en", "value": "Zcash zcashd before 6.12.0 allows invalid transactions to be accepted under certain conditions, which potentially could have resulted in the draining of user funds from the Sprout pool. It was sometimes not verifying Sprout proofs."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-358", "description": "CWE-358 Improperly Implemented Security Check for Standard"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-05T21:31:46.130Z"}}}, "cveMetadata": {"cveId": "CVE-2026-35679", "state": "PUBLISHED", "dateUpdated": "2026-04-06T14:04:35.190Z", "dateReserved": "2026-04-05T21:26:58.043Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-04-05T21:26:58.622Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Zcash zcashd before 6.12.0 allows invalid transactions to be accepted under certain conditions, which potentially could have resulted in the draining of user funds from the Sprout pool. It was sometimes not verifying Sprout proofs."}], "id": "CVE-2026-35679", "lastModified": "2026-04-07T13:20:35.010", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 1.4, "source": "cve@mitre.org", "type": "Secondary"}]}, "published": "2026-04-05T22:16:01.193", "references": [{"source": "cve@mitre.org", "url": "https://github.com/zcash/zcash/commit/db969c63f48f0f9fc518112ed0b7ace1af78b9d0"}, {"source": "cve@mitre.org", "url": "https://github.com/zcash/zcash/releases/tag/v6.12.0"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-358"}], "source": "cve@mitre.org", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,6.12.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "zcashd", "vendor": "zcash"}], "analysis": {"en": {"generated_at": "2026-04-06T00:21:16.631903+00:00", "value": {"mitigation_remediation": ["Upgrade to zcashd version 6.12.0 or later to ensure correct Sprout proof verification."], "summary": {"action": "Upgrade", "impact": "Potential Loss of User Funds"}, "threat_synthesis": {"affected_systems": "The issue affects the Zcash daemon (zcashd) in all releases prior to version 6.12.0. Any node using those earlier builds without the patch may be vulnerable, regardless of operating system or deployment environment.", "description_and_impact": "This vulnerability allows Zcash zcashd to accept invalid transactions under certain conditions, potentially causing unauthorized transfer of user funds from the Sprout pool because the node sometimes fails to verify Sprout proofs. The weakness, identified as CWE\u2011358, results in an integrity breach that could allow an attacker to drain funds that should have been protected by cryptographic validation.", "risk_and_exploitability": "The CVSS score of 3.5 indicates low severity, and the vulnerability is not listed in the CISA KEV catalog, suggesting limited widespread exploitation. However, the attack vector is inferred to be remote: a threat actor could craft a malicious transaction and broadcast it to a vulnerable node, leveraging the lack of proof verification to create phantom balances. Since no EPSS score is available, the exact exploitation probability is uncertain, but the potential financial impact warrants remediation."}}}}, "created": "2026-04-06T20:22:18.044281+00:00", "title": "Potential Sprout Pool Funds Drainage via Accepting Invalid Transactions", "updated": "2026-04-06T21:48:10.416933+00:00", "vendors": ["zcash", "zcash$PRODUCT$zcashd"]}