Orchard · Orchard · CVE-2026-41584
**Name of the Vulnerable Software and Affected Versions**
zebrad versions prior to 4.3.1
zebra-chain versions prior to 6.0.2
**Description**
Orchard transactions include an `rk` field, which serves as a randomized validating key and an elliptic curve point. While the Zcash specification permits this field to be the identity (a zero value), the `orchard` crate used for verifying Orchard proofs triggers a panic when processing an `rk` with the identity value. Specifically, the issue occurs in the `circuits.rs` file of the `orchard` crate, where the system attempts to retrieve coordinates of the `rk` value and calls `unwrap()` on the results. An attacker can exploit this by submitting a crafted transaction containing an identity `rk`, causing the node to crash and resulting in a Denial of Service.
**Recommendations**
Update zebrad to version 4.3.1 or later.
Update zebra-chain to version 6.0.2 or later.