CVE-2026-34202

Name of the Vulnerable Software and Affected Versions Zebra versions prior to 4.3.0

Description A flaw exists in Zebra’s transaction processing logic that allows a remote, unauthenticated attacker to cause a Zebra node to crash. This is triggered by sending a specially crafted V5 transaction that passes initial deserialization but fails during transaction ID calculation. The issue stems from Zebra lazily validating transaction fields. An attacker can trigger this crash by sending a single crafted tx message to a Zebra node's public P2P port or via the sendrawtransaction API endpoint. The PushTransaction messages with malformed V5 transactions are successfully deserialized as the zebra-chain Transaction type.

Recommendations Upgrade to Zebra version 4.3.0 or later immediately. If an immediate upgrade is not possible, ensure the RPC port is not exposed to the Internet. Restrict the P2P port to trusted peers to fully mitigate the risk.