Summary
CVE-2026-41583: Consensus Divergence in Transparent Sighash Hash-Type Handling
After a refactoring, Zebra failed to validate a consensus rule that restricted the possible values of sighash hash types for V5 transactions which were enabled in the NU5 network upgrade. Zebra nodes could thus accept and eventually mine a block that would be considered invalid by zcashd nodes, creating a consensus split between Zebra and zcashd nodes.
In a similar vein, for V4 transactions, Zebra mistakenly used the "canonical" hash type when computing the sighash while zcashd (correctly per the spec) uses the raw value, which could also crate a consensus split.
Severity
Critical - This is a Consensus Vulnerability that could allow a malicious party to induce network partitioning, service disruption, and potential double-spend attacks against affected nodes.
Note that the impact is currently alleviated by the fact that currently most miners run zcashd.
Affected Versions
All Zebra versions prior to version 4.3.1. (Some older versions are not impacted but are no longer supported by the network.)
Description
Verification of transparent transactions inherits the Bitcoin Script verification code in C++. Since it is consensus-critical, this code was called from Zebra through foreign function interface (FFI). That interface was clunky because it required parsing the whole transaction in C++ code, which would then pull Rust libraries which could get in conflict with Zebra code. A refactoring was done so that only the verification itself was done in C++, and the rest done by Rust code, using a callback. However, in this refactoring, it was not noticed that a particular consensus rule - only accepting known hash types in transparent transaction signatures - was being enforced in C++ code and thus had to be enforced by the Rust caller.
An attacker could exploit this by:
- Submitting a V4 or V5 transaction with an invalid hash type
- The V5 transaction would be accepted by Zebra nodes but not by
zcashdnodes (and vice-versa for V4), creating a consensus split in the network.
Fixed Versions
This issue is fixed in Zebra 4.3.1.
The fix adds the consensus check in the caller of the C++ verification code. It also uses the raw hash type for V4 sighash computations.
Mitigation
Users should upgrade to Zebra 4.3.1 or later immediately.
There are no known workarounds for this issue. Immediate upgrade is the only way to ensure the node remains on the correct consensus path and is protected against malicious chain forks.
Credits
Thanks Alex “Scalar” Sol for finding and reporting the issue, and to @sangsoo-osec who independently found the same issue and demonstrated that the V4 variant was also exploitable.
Impact
Consensus Failure
- Attack Vector: Network.
- Effect: Network partition/consensus split.
- Scope: Any Zebra affected Zebra node
CVE-2026-41583 has a CVSS score of 9.1 (Critical). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (4.3.1, 5.0.2); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
zebrad to 4.3.1 or later; zebra-script to 5.0.2 or later
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is CVE-2026-41583? CVE-2026-41583 is a critical-severity security vulnerability in zebrad (rust), affecting versions < 4.3.1. It is fixed in 4.3.1, 5.0.2.
- How severe is CVE-2026-41583? CVE-2026-41583 has a CVSS score of 9.1 (Critical). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which packages are affected by CVE-2026-41583?
zebrad(rust) (versions < 4.3.1)zebra-script(rust) (versions < 5.0.2)
- Is there a fix for CVE-2026-41583? Yes. CVE-2026-41583 is fixed in 4.3.1, 5.0.2. Upgrade to this version or later.
- Is CVE-2026-41583 exploitable, and should I be worried? Whether CVE-2026-41583 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-41583 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2026-41583?
- Upgrade
zebradto 4.3.1 or later - Upgrade
zebra-scriptto 5.0.2 or later
- Upgrade