CVE-2026-41584

Name of the Vulnerable Software and Affected Versions zebrad versions prior to 4.3.1 zebra-chain versions prior to 6.0.2

Description Orchard transactions include an rk field, which serves as a randomized validating key and an elliptic curve point. While the Zcash specification permits this field to be the identity (a zero value), the orchard crate used for verifying Orchard proofs triggers a panic when processing an rk with the identity value. Specifically, the issue occurs in the circuits.rs file of the orchard crate, where the system attempts to retrieve coordinates of the rk value and calls unwrap() on the results. An attacker can exploit this by submitting a crafted transaction containing an identity rk, causing the node to crash and resulting in a Denial of Service.

Recommendations Update zebrad to version 4.3.1 or later. Update zebra-chain to version 6.0.2 or later.