{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/zcashfoundation/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["zebrad","zebra-script"],"_cs_severities":["critical"],"_cs_tags":["consensus-failure","vulnerability","network-partition"],"_cs_type":"advisory","_cs_vendors":["ZcashFoundation"],"content_html":"\u003cp\u003eZebra, a Zcash node implementation, versions prior to 4.4.0 are vulnerable to a critical consensus divergence issue. This flaw, identified as CVE-2026-44497, stems from inadequate error handling when processing invalid sighash types during signature hash computation. Specifically, when an undefined hash type is encountered, Zebra\u0026rsquo;s foreign function interface (FFI) does not properly propagate the error from the Rust-based sighash computation callback to the C++ verification code. Consequently, the C++ checker may use a stale digest from a previous valid signature validation, leading to the acceptance of invalid transactions. This discrepancy can create a consensus split between Zebra and zcashd nodes, potentially disrupting the Zcash network. The vulnerability was introduced as a side effect of a previous fix (GHSA-8m29-fpq5-89jj).\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a malicious transaction.\u003c/li\u003e\n\u003cli\u003eTransaction contains a transparent output.\u003c/li\u003e\n\u003cli\u003eThe output is spent by a script that includes \u003ccode\u003eOP_CHECKSIGVERIFY\u003c/code\u003e and \u003ccode\u003eOP_CHECKSIG\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eOP_CHECKSIGVERIFY\u003c/code\u003e is executed with a valid hash type, priming the C++ sighash buffer with a valid digest.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eOP_CHECKSIG\u003c/code\u003e is executed with an undefined hash type.\u003c/li\u003e\n\u003cli\u003eZebra\u0026rsquo;s Rust callback returns \u003ccode\u003eNone\u003c/code\u003e due to the undefined hash type, but the C++ checker does not receive this signal.\u003c/li\u003e\n\u003cli\u003eThe C++ checker verifies the invalid signature against the stale digest in the buffer.\u003c/li\u003e\n\u003cli\u003eZebra incorrectly accepts the spend, while zcashd rejects it, leading to a consensus split.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe vulnerability can lead to a consensus failure within the Zcash network. An attacker can exploit this to cause network partitioning, where different nodes have conflicting views of the blockchain\u0026rsquo;s state. This can lead to service disruption for users relying on affected Zebra nodes. Furthermore, the vulnerability could potentially be exploited for double-spend attacks if a malicious miner relies on Zebra\u0026rsquo;s faulty validation results. While the impact is mitigated by the prevalence of \u003ccode\u003ezcashd\u003c/code\u003e among miners, any miner or template pipeline relying on Zebra\u0026rsquo;s validation is at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade all Zebra nodes to version 4.4.0 or later immediately to address CVE-2026-44497.\u003c/li\u003e\n\u003cli\u003eMonitor Zebra node logs for unexpected consensus errors or forks following the upgrade.\u003c/li\u003e\n\u003cli\u003eEvaluate the feasibility of implementing custom monitoring to detect divergence between Zebra and zcashd validation results within your environment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-07T20:56:21Z","date_published":"2026-05-07T20:56:21Z","id":"/briefs/2024-01-09-zebra-consensus-divergence/","summary":"Zebra versions prior to 4.4.0 exhibit a consensus divergence vulnerability (CVE-2026-44497) due to insufficient error handling of invalid sighash types during sighash computation, potentially leading to network partitioning and double-spend attacks.","title":"Zebra Consensus Divergence in Transparent Sighash Hash-Type Handling (CVE-2026-44497)","url":"https://feed.craftedsignal.io/briefs/2024-01-09-zebra-consensus-divergence/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["zebra ( \u003c 4.4.0)"],"_cs_severities":["medium"],"_cs_tags":["blockchain","consensus-failure","zcash"],"_cs_type":"advisory","_cs_vendors":["ZcashFoundation"],"content_html":"\u003cp\u003eZebra, a Zcash node implementation, contains a critical vulnerability where its block validator incorrectly calculates the number of signature operations (sigops) within a block. This flaw, present in versions prior to 4.4.0, stems from two distinct undercounting issues: incorrect handling of coinbase transactions and P2SH scripts. An attacker, typically a malicious miner, can exploit this to create blocks that Zebra accepts but \u003ccode\u003ezcashd\u003c/code\u003e rejects. This discrepancy leads to a consensus failure, causing a network split where Zebra nodes follow a different, invalid chain. This vulnerability poses a significant risk to network integrity for operators relying on Zebra for consensus.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA malicious miner crafts a block with a high number of signature operations.\u003c/li\u003e\n\u003cli\u003eThe miner hides sigops in the coinbase \u003ccode\u003escriptSig\u003c/code\u003e (up to ~98 sigops).\u003c/li\u003e\n\u003cli\u003eThe miner includes transactions with a high number of P2SH spends whose redeem scripts collectively exceed 20000 sigops.\u003c/li\u003e\n\u003cli\u003eZebra\u0026rsquo;s block validator undercounts sigops due to the coinbase scriptSig and P2SH redeem script handling issues.\u003c/li\u003e\n\u003cli\u003eZebra accepts the invalid block because the sigop count is below \u003ccode\u003eMAX_BLOCK_SIGOPS\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003ezcashd\u003c/code\u003e rejects the block due to accurately counting the excessive sigops.\u003c/li\u003e\n\u003cli\u003eZebra nodes build on the invalid block, diverging from the main Zcash chain followed by \u003ccode\u003ezcashd\u003c/code\u003e nodes.\u003c/li\u003e\n\u003cli\u003eA network split occurs, where Zebra and \u003ccode\u003ezcashd\u003c/code\u003e nodes operate on separate chains.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe vulnerability results in a network split between Zebra and \u003ccode\u003ezcashd\u003c/code\u003e nodes. Zebra nodes may accept and propagate blocks that are considered invalid by the rest of the network, leading to transaction rollbacks and unpredictable behavior for users relying on Zebra for consensus. This could lead to a denial of service and financial losses for users of Zebra nodes. There is no information available regarding the number of victims or specific sectors targeted.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Zebra nodes to version 4.4.0 or later to patch the vulnerability as advised by the vendor.\u003c/li\u003e\n\u003cli\u003eMonitor network consensus and validate Zebra\u0026rsquo;s chain against other Zcash implementations (\u003ccode\u003ezcashd\u003c/code\u003e) to detect potential forks caused by this vulnerability.\u003c/li\u003e\n\u003cli\u003eConsider deploying network-level rules to identify blocks with unusually large coinbase \u003ccode\u003escriptSig\u003c/code\u003e fields.\u003c/li\u003e\n\u003cli\u003eEnable detailed logging for block validation processes in Zebra to investigate potential consensus failures.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-07T20:54:33Z","date_published":"2026-05-07T20:54:33Z","id":"/briefs/2026-05-zebra-sigops-undercount/","summary":"Zebra's block validator undercounts signature operations, allowing it to accept invalid blocks, leading to a network split between Zebra and zcashd nodes.","title":"Zebra Block Validator Sigops Undercount Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-zebra-sigops-undercount/"}],"language":"en","title":"CraftedSignal Threat Feed — ZcashFoundation","version":"https://jsonfeed.org/version/1.1"}