Summary
Remote Denial of Service via Crafted V5 Transactions
A vulnerability in Zebra's transaction processing logic allows a remote, unauthenticated attacker to cause a Zebra node to panic (crash). This is triggered by sending a specially crafted V5 transaction that passes initial deserialization but fails during transaction ID calculation.
Severity
Critical - This is a Remote Denial of Service (DoS) that requires no authentication and can be triggered by a single network message.
Affected Versions
All Zebra versions supporting V5 transactions (Network Upgrade 5 and later) prior to version 4.3.0.
Description
The vulnerability stems from Zebra lazily validating transaction fields that are eagerly validated in the librustzcash parsing logic used when Zebra computes transaction ids and auth digests for V5 transactions where Zebra panics if those computations fail.
PushTransaction messages with malformed V5 transactions are successfully deserialized as the zebra-chain Transaction type by the network codec, but when Zebra converts those transactions into internal types to compute the TxID expecting it to succeed, it triggers a panic/crash.
An attacker can trigger this crash by sending a single crafted tx message to a Zebra node's public P2P port. The same issue can be triggered via the sendrawtransaction RPC method.
Fixed Versions
This issue is fixed in Zebra 4.3.0.
The fix ensures that any transaction that would fail TxID calculation is rejected during the initial deserialization phase, and replaces internal panics with graceful error handling.
Mitigation
Users should upgrade to Zebra 4.3.0 or later immediately.
If an immediate upgrade is not possible, users should ensure their RPC port is not exposed to the Internet. However, the P2P port must remain closed or restricted to trusted peers to fully mitigate the risk, which may impact the node's ability to sync with the network.
Credits
Zebra thanks robustfengbin, who discovered this issue and reported it via coordinated disclosure process.
Impact
Remote Denial of Service
- Attack Vector: Remote, unauthenticated.
- Effect: Immediate crash of the Zebra node.
- Scope: Any node with an open P2P port (default 8233) or exposed RPC interface is vulnerable.
Untrusted input is evaluated as executable code within the application's runtime environment. Typical impact: arbitrary code execution within the application's privilege context.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
zebrad to 4.3.0 or later; zebra-chain to 6.0.1 or later
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is CVE-2026-34202? CVE-2026-34202 is a critical-severity code injection vulnerability in zebrad (rust), affecting versions < 4.3.0. It is fixed in 4.3.0, 6.0.1. Untrusted input is evaluated as executable code within the application's runtime environment.
- Which packages are affected by CVE-2026-34202?
zebrad(rust) (versions < 4.3.0)zebra-chain(rust) (versions < 6.0.1)
- Is there a fix for CVE-2026-34202? Yes. CVE-2026-34202 is fixed in 4.3.0, 6.0.1. Upgrade to this version or later.
- Is CVE-2026-34202 exploitable, and should I be worried? Whether CVE-2026-34202 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-34202 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2026-34202?
- Upgrade
zebradto 4.3.0 or later - Upgrade
zebra-chainto 6.0.1 or later
- Upgrade