PT-2026-55469 · Crates.Io · Zebra-State+1

Publicado

2026-07-02

·

Atualizado

2026-07-02

·

CVE-2026-52733

CVSS v3.1

6.5

Média

VetorAV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L

Am I affected

You are affected if:
  1. You run zebrad up to and including v4.4.1.
  2. Your node participates in a network where chain forks occur (mainnet, testnet, or any network with multiple miners).
All default configurations are affected. The corruption persists across restarts because it is written to RocksDB.

Summary

When pop tip removes the tip block during a chain fork, stale Sapling and Orchard note commitment subtree root data is retained in the in-memory non-finalized state. When the chain subsequently finalizes, this stale data is written to the persistent RocksDB state. The corrupted subtree root history affects z getsubtreesbyindex (used by lightwalletd for wallet synchronization) and could affect future chain verification that depends on correct subtree roots.

Details

The non-finalized state provides two methods for removing blocks: pop root (removes the oldest block during finalization) and pop tip (removes the newest block during a fork revert). pop root correctly cleans up note commitment subtree contributions. pop tip does not: it removes the block but retains the block's subtree root contributions in the in-memory state.
When a chain fork occurs and pop tip reverts the old tip, the winning fork's chain is extended. When that chain is later finalized, the stale subtree data from the reverted blocks is included in the RocksDB write batch and persisted to disk.
The pop root/pop tip asymmetry is specific to subtree root handling. Other state managed by pop tip (nullifiers, UTXOs, anchors, block hashes) uses different cleanup patterns that are not affected.

Patches

zebra-state 7.0.0 and zebrad 4.5.0.
The fix adds subtree root cleanup to pop tip matching the pattern already used by pop root.

Workarounds

There is no configuration-level workaround. Chain forks are natural events on any Proof-of-Work network. Operators can mitigate the downstream impact by periodically verifying subtree root consistency using z getsubtreesbyindex against a known-good reference.

Impact

Persistent corruption of Sapling and Orchard subtree root history in the RocksDB state database. The corruption survives node restarts. Downstream consumers that rely on z getsubtreesbyindex for wallet synchronization (primarily lightwalletd and light wallets) receive incorrect subtree roots. This does not directly affect consensus validation of new blocks but can cause wallet synchronization failures or incorrect wallet state. Recovery requires rebuilding the state database from scratch.

Credit

Reported by @dingledropper via a private GitHub Security Advisory submission.

Correção

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

Enumeração de Fraquezas

Identificadores relacionados

CVE-2026-52733
GHSA-2GF8-Q9RR-JQ3H

Produtos afetados

Zebra-State
Zebrad