CVE-2026-44497

CVE-2026-44497 is a critical-severity security vulnerability in zebra-script (rust), affecting versions <= 5.0.1. It is fixed in 6.0.0, 4.4.0.

Summary

CVE-2026-44497: Consensus Divergence in Transparent Sighash Hash-Type Handling due to Stale Buffer

The fix for https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-8m29-fpq5-89jj introduced a separate issue due to insuficient error handling of the case where the sighash type is invalid, during sighash computation. Instead of returning an error, the normal flow would resume, and the input sighash buffer would be left untouched. In scenarios where a previous signature validation could leave a valid sighash in the buffer, an invalid hash-type could be incorrectly accepted, which would create a consensus split between Zebra and zcashd nodes.

Severity

Critical - This is a Consensus Vulnerability that could allow a malicious party to induce network partitioning, service disruption, and potential double-spend attacks against affected nodes.

Note that the impact is currently alleviated by the fact that currently most miners run zcashd.

Affected Versions

Zebra 4.3.1.

Description

Verification of transparent transactions inherits the Bitcoin Script verification code in C++, called from Zebra through a foreign function interface (FFI) with a Rust callback that computes the sighash. The fix for https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-8m29-fpq5-89jj added the missing V5 hash-type consensus check on the Rust side, returning None for undefined hash types. However, the FFI bridge only writes to the C++ sighash buffer when the callback returns Some, and the C++ checker reads that buffer unconditionally, so the failure signal is lost.

An attacker could exploit this by:

  • Constructing a transparent output spent by a script that runs a valid OP_CHECKSIGVERIFY immediately before an OP_CHECKSIG with an undefined hash type.
  • The first opcode primes the C++ sighash buffer with a valid digest; the second causes Zebra's callback to return None while the C++ checker verifies the invalid signature against the stale digest.
  • Zebra accepts the spend, zcashd rejects it, creating a consensus split in the network.

Fixed Versions

This issue is fixed in 4.4.0.

The fixes uses a workaround where the input buffer is filled with random bytes on validation failure, which makes signature validation fail (as expected) with overwhelming probability. This avoids a breaking release of the zcash_script crate. A future release will propagate the error correctly for a direct fix.

Mitigation

Users should upgrade to 4.4.0 or later immediately.

There are no known workarounds for this issue. Immediate upgrade is the only way to ensure the node remains on the correct consensus path and is protected against malicious chain forks.

Credits

Zebra thanks @sangsoo-osec for finding and reporting the issue.

Impact

Consensus Failure

  • Attack Vector: Network.
  • Effect: Network partition/consensus split.
  • Scope: Any affected Zebra node, and any miner or template pipeline that relies on Zebra's validation result.

CVE-2026-44497 has a CVSS score of 9.1 (Critical). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (6.0.0, 4.4.0); upgrading removes the vulnerable code path.

Affected versions

zebra-script (<= 5.0.1) zebrad (< 4.4.0)

Security releases

zebra-script → 6.0.0 (rust) zebrad → 4.4.0 (rust)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Upgrade the following packages to resolve this vulnerability:

zebra-script to 6.0.0 or later; zebrad to 4.4.0 or later

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is CVE-2026-44497? CVE-2026-44497 is a critical-severity security vulnerability in zebra-script (rust), affecting versions <= 5.0.1. It is fixed in 6.0.0, 4.4.0.
  2. How severe is CVE-2026-44497? CVE-2026-44497 has a CVSS score of 9.1 (Critical). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which packages are affected by CVE-2026-44497?
    • zebra-script (rust) (versions <= 5.0.1)
    • zebrad (rust) (versions < 4.4.0)
  4. Is there a fix for CVE-2026-44497? Yes. CVE-2026-44497 is fixed in 6.0.0, 4.4.0. Upgrade to this version or later.
  5. Is CVE-2026-44497 exploitable, and should I be worried? Whether CVE-2026-44497 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2026-44497 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2026-44497?
    • Upgrade zebra-script to 6.0.0 or later
    • Upgrade zebrad to 4.4.0 or later

Other vulnerabilities in zebra-script

CVE-2026-44497CVE-2026-41583

Stop the waste.
Protect your environment with Kodem.