CVE-2026-41583

Name of the Vulnerable Software and Affected Versions zebrad versions prior to 4.3.1 zebra-script versions prior to 5.0.2

Description Following a refactoring of the verification process for transparent transactions, Zebra failed to validate a consensus rule restricting the possible values of sighash hash types for V5 transactions enabled in the NU5 network upgrade. Additionally, for V4 transactions, Zebra incorrectly used the canonical hash type when computing the sighash instead of the raw value. These issues could allow an attacker to submit transactions with invalid hash types, leading Zebra nodes to accept and potentially mine blocks that zcashd nodes would consider invalid, resulting in a consensus split and network partitioning.

Recommendations Update zebrad to version 4.3.1 or later. Update zebra-script to version 5.0.2 or later.