CVE-2026-34377

Name of the Vulnerable Software and Affected Versions Zebra versions prior to 4.3.0 zebra-consensus versions prior to 5.0.1

Description A flaw exists in Zebra's transaction verification cache that could allow a malicious miner to induce a consensus split. By matching a valid transaction's txid while providing invalid authorization data, a miner could cause vulnerable Zebra nodes to accept an invalid block, leading to a consensus split from the rest of the Zcash network. This issue stems from a logic error in the find verified unmined tx function within transaction.rs, where the lookup mechanism used the txid as a unique key, excluding the Authorization Data Root for V5 transactions. This caused Zebra to skip the essential check v5 auth() call, incorrectly assuming the transaction was already verified. The vulnerability affects Zebra nodes utilizing the transaction verification cache optimization for V5 transactions.

Recommendations Upgrade to Zebra version 4.3.0 or later. Upgrade to zebra-consensus version 5.0.1 or later.