GHSA-452v-w3gx-72wg: Remote Denial of Service via Identity Point Panic in Zebra Zcash Node
Vulnerability ID: GHSA-452V-W3GX-72WG
CVSS Score: 8.7
Published: 2026-04-18
The Zebra Zcash node implementation is vulnerable to a critical remote denial-of-service attack due to a logic error in Orchard transaction verification. An unhandled exception occurs when processing the randomized validating key (rk) if it is set to the Pallas curve identity point.
TL;DR
An unauthenticated remote attacker can crash a vulnerable Zebra node by broadcasting a crafted Orchard transaction where the rk field is the identity point. This triggers an .unwrap() panic in the underlying orchard crate, leading to immediate process termination.
Technical Details
- CWE ID: CWE-248
- Attack Vector: Network
- CVSS 4.0: 8.7
- Impact: Denial of Service
- Exploit Status: none
- KEV Status: Not Listed
Affected Systems
- Zebra (zebrad)
- Zebra (zebra-chain)
- Zcash network nodes
-
Zebra: < 4.3.1 (Fixed in:
4.3.1)
Mitigation Strategies
- Upgrade all Zebra nodes to version 4.3.1 or later.
- Monitor process logs for panics related to the
orchardcrate orcircuits.rs. - Adhere to the updated Zcash protocol specification regarding the rejection of identity
rkvalues.
Remediation Steps:
- Stop the running
zebradservice. - Download or compile Zebra version 4.3.1.
- Restart the
zebradservice with the updated binary. - Verify that the node resumes syncing and processing transactions correctly.
References
- GitHub Security Advisory GHSA-452v-w3gx-72wg
- Official Zebra Release v4.3.1
- Zcash Community Forum Announcement
- OSV Record
Read the full report for GHSA-452V-W3GX-72WG on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)