Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

CVE

CVE-2026-34202

Zebra node crash — V5 transaction hash panic (P2P reachable)
Back to all
CVE

CVE-2026-34202

Zebra node crash — V5 transaction hash panic (P2P reachable)

---

Remote Denial of Service via Crafted V5 Transactions

Summary

A vulnerability in Zebra's transaction processing logic allows a remote, unauthenticated attacker to cause a Zebra node to panic (crash). This is triggered by sending a specially crafted V5 transaction that passes initial deserialization but fails during transaction ID calculation.

Severity

Critical - This is a Remote Denial of Service (DoS) that requires no authentication and can be triggered by a single network message.

Affected Versions

All Zebra versions supporting V5 transactions (Network Upgrade 5 and later) prior to version 4.3.0.

Description

The vulnerability stems from Zebra lazily validating transaction fields that are eagerly validated in the librustzcash parsing logic used when Zebra computes transaction ids and auth digests for V5 transactions where Zebra panics if those computations fail.

PushTransaction messages with malformed V5 transactions are successfully deserialized as the zebra-chain Transaction type by the network codec, but when Zebra converts those transactions into internal types to compute the TxID expecting it to succeed, it triggers a panic/crash.

An attacker can trigger this crash by sending a single crafted tx message to a Zebra node's public P2P port. The same issue can be triggered via the sendrawtransaction RPC method.

Impact

Remote Denial of Service

  • Attack Vector: Remote, unauthenticated.
  • Effect: Immediate crash of the Zebra node.
  • Scope: Any node with an open P2P port (default 8233) or exposed RPC interface is vulnerable.

Fixed Versions

This issue is fixed in Zebra 4.3.0

The fix ensures that any transaction that would fail TxID calculation is rejected during the initial deserialization phase, and replaces internal panics with graceful error handling.

Mitigation

Users should upgrade to Zebra 4.3.0 or later immediately. 

If an immediate upgrade is not possible, users should ensure their RPC port is not exposed to the Internet. However, the P2P port must remain closed or restricted to trusted peers to fully mitigate the risk, which may impact the node's ability to sync with the network.

Credits

Zebra thanks robustfengbin, who discovered this issue and reported it via coordinated disclosure process.

---

Package Versions Affected

Package Version
patch Availability
No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request

CVSS Version

Severity
Base Score
CVSS Version
Score Vector
C
H
U
-
C
H
U
0
-
C
H
U
-

Related Resources

No items found.

References

https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-qp6f-w4r3-h8wg, https://github.com/ZcashFoundation/zebra, https://github.com/ZcashFoundation/zebra/releases/tag/v4.3.0, https://zfnd.org/zebra-4-3-0-critical-security-fixes-zip-235-support-and-performance-improvements

Severity

0

CVSS Score
0
10

Basic Information

Ecosystem
Base CVSS
0
EPSS Probability
0%
EPSS Percentile
0%
Introduced Version
0
Fix Available
4.3.0,6.0.1

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.
Fix Without Upgrading