CVE-2026-44497

Name of the Vulnerable Software and Affected Versions Zebra versions 4.3.1 through 4.3.1

Description Insufficient error handling during sighash computation can lead to consensus divergence. When an invalid sighash type is encountered, the system fails to return an error, leaving the input sighash buffer untouched. If a previous signature validation left a valid sighash in the buffer, an invalid hash-type may be incorrectly accepted. This occurs because the foreign function interface (FFI) bridge only writes to the C++ sighash buffer when the Rust callback returns Some, but the C++ checker reads the buffer unconditionally, causing the failure signal to be lost. An attacker can exploit this by constructing a transparent output that executes a valid OP CHECKSIGVERIFY followed by an OP CHECKSIG with an undefined hash type, potentially inducing network partitioning, service disruption, and double-spend attacks.

Recommendations Update to version 4.4.0.