Summary
Am I affected
You are affected if:
- You run
zebradup to and includingv4.4.1. - Your node processes blocks on any Zcash network.
The finalized transparent address balance writer processes all newly-created outputs (credits) before processing spent outputs (debits) within the same block. A consensus-valid block containing a long chain of same-address transparent self-spends can cause the intermediate per-address balance during the credit pass to exceed MAX_MONEY, triggering a panic in the finalized state writer.
Because the triggering block is consensus-valid (zcashd accepts it), the panic recurs on restart when the node re-encounters the same block. This creates a persistent chain halt that can only be resolved by a software patch.
Details
The finalized state writer at zebra-state/src/service/finalized_state/zebra_db/transparent.rs iterates all transaction outputs in a block and credits them to per-address balances before iterating inputs and debiting spent outputs. When a block contains many transparent self-spends to the same address, the intermediate credit-only balance can exceed the MAX_MONEY supply cap even though the final net balance (credits minus debits) is valid.
The code panics on the intermediate overflow via .expect() on the balance addition. Under Zebra's panic = "abort" release profile, this terminates the process. On restart, the node re-downloads and re-processes the same consensus-valid block, triggering the same panic.
An attacker with approximately 1,100–2,100 ZEC and mining capability can construct a block that permanently halts all Zebra nodes. The attacker recovers their capital (the self-spends return funds to the same address), so the net cost is the mining effort only.
Workarounds
No workaround is available. Upgrade to Zebra 4.4.2.
Credit
Reported by @sangsoo-osec.
Impact
A single consensus-valid mined block can permanently halt all Zebra nodes on the network. The halt persists across restarts. Recovery requires deploying a patched version. Downstream consumers (light wallets, exchanges, mining infrastructure) lose service for the duration of the halt.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
Patched in Zebra 4.4.2. The fix processes credits and debits together per transaction rather than all credits then all debits, matching zcashd's approach.
Frequently Asked Questions
- What is CVE-2026-52738? CVE-2026-52738 is a medium-severity security vulnerability in zebra-state (rust), affecting versions <= 6.0.0. It is fixed in 7.0.0, 4.5.0.
- Which packages are affected by CVE-2026-52738?
zebra-state(rust) (versions <= 6.0.0)zebrad(rust) (versions <= 4.4.1)
- Is there a fix for CVE-2026-52738? Yes. CVE-2026-52738 is fixed in 7.0.0, 4.5.0. Upgrade to this version or later.
- Is CVE-2026-52738 exploitable, and should I be worried? Whether CVE-2026-52738 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-52738 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2026-52738?
- Upgrade
zebra-stateto 7.0.0 or later - Upgrade
zebradto 4.5.0 or later
- Upgrade