216.73.217.22

CVE-2026-41584

· Published 08/05/2026 15:16 · Modified 08/05/2026 18:21

Labels: CVE-2026-41584 2026-05-08CVE-2026-41584CWE-617[email protected]

Essential information

Published
08/05/2026 15:16
Modified
08/05/2026 18:21
Author
Creator
CVSS
9.2 CRITICAL (v3) 9.2 CRITICAL (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.3.1 and prior to zebra-chain version 6.0.2, Orchard transactions contain a rk field which is a randomized validating key and also an elliptic curve point. The Zcash specification allows the field to be the identity (a "zero" value), however, the orchard crate which is used to verify Orchard proofs would panic when fed a rk with the identity value. Thus an attacker could send a crafted transaction that would make a Zebra node crash. This issue has been patched in zebrad version 4.3.1 and zebra-chain version 6.0.2.

NVD status

Status
Analyzed — CVE has been marked for Analysis. Normally once in this state the CVE will be analyzed by NVD staff within 24 hours.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
zfnd / zebra-chain cpe:2.3:a:zfnd:zebra-chain:*:*:*:*:*:rust:*:*
zfnd / zebrad cpe:2.3:a:zfnd:zebrad:*:*:*:*:*:rust:*:*

References