CVE-2026-44498

Name of the Vulnerable Software and Affected Versions ZEBRA versions prior to 4.4.0

Description The block validator undercounts transparent signature operations against the 20000-sigop block limit MAX BLOCK SIGOPS, which allows the software to accept blocks that zcashd rejects. This discrepancy can enable a miner to split the network, as Zebra nodes would follow a chain that zcashd nodes reject. The issue stems from two undercounting errors: first, the Sigops implementation skipped the coinbase input entirely, allowing up to approximately 98 sigops to be hidden in the coinbase scriptSig. Second, Zebra failed to accumulate P2SH sigops during block validation, only computing them during the mempool-acceptance path. Consequently, blocks where the aggregate redeem-script sigops exceed 20000 are incorrectly accepted.

Recommendations Update to version 4.4.0.