Summary
Consensus Divergence in V5 Transparent SIGHASH_SINGLE With No Corresponding Output
Zebra failed to enforce a ZIP-244 consensus rule for V5 transparent transactions: when an input is signed with SIGHASH_SINGLE and there is no transparent output at the same index as that input, validation must fail. Zebra instead asked the underlying sighash library to compute a digest, and that library produced a digest over an empty output set rather than failing. An attacker could craft a V5 transaction with more transparent inputs than outputs that Zebra accepts but zcashd rejects, creating a consensus split between Zebra and zcashd nodes.
A previous fix (GHSA-cwfq-rfcr-8hmp) addressed a closely related case in the same area of the code, but did not cover this specific one.
Severity
Critical - This is a Consensus Vulnerability that could allow a malicious party to induce network partitioning, service disruption, and potential double-spend attacks against affected nodes.
Note that the impact is currently alleviated by the fact that currently most miners run zcashd.
Affected Versions
Zebra 4.4.0.
Description
Verification of transparent transactions inherits the Bitcoin Script verification code in C++. Since it is consensus-critical, this code is called from Zebra through a foreign function interface (FFI), with a Rust callback that computes the sighash for each input being verified.
ZIP-244 §S.2a marks two situations as consensus failure for V5 transparent signatures:
- The signed hash type is not one of the six canonical values; and
- The hash type is
SIGHASH_SINGLE(alone or combined withANYONECANPAY) and the input has no transparent output at the same index.
zcashd enforces both rules: its SignatureHash raises an exception, and CheckSig catches it and fails the script. A previous fix (GHSA-cwfq-rfcr-8hmp) added the first rule to Zebra's V5 sighash callback. The second rule, however, was not added, Zebra's callback forwarded the request to librustzcash's ZIP-244 implementation, which handles an out-of-range SIGHASH_SINGLE output index by hashing an empty output set rather than refusing to produce a digest. As a result, Zebra would compute a well-defined sighash for the missing-output case and accept any signature that verified against it.
An attacker could exploit this by:
- Constructing a V5 transaction with two or more transparent inputs and fewer transparent outputs;
- Signing an input whose index has no matching
voutentry withSIGHASH_SINGLE(0x03) orSIGHASH_SINGLE|ANYONECANPAY(0x83), using the digest Zebra computes; - Broadcasting the transaction, or a block containing it, to the network.
Zebra would verify the transaction's transparent script and accept the transaction (and any block containing it), while zcashd would reject both, splitting Zebra nodes from the rest of the network.
Fixed Versions
This issue is fixed in Zebra 4.4.1.
Mitigation
Users should upgrade to Zebra 4.4.1 or later immediately.
There are no known workarounds for this issue. Immediate upgrade is the only way to ensure the node remains on the correct consensus path and is protected against malicious chain forks.
Credits
Zebra thanks @sangsoo-osec, @zmanian, and @fivelittleducks for finding and reporting the issue.
Impact
Consensus Failure
- Attack Vector: Network.
- Effect: Network partition/consensus split.
- Scope: Any affected Zebra node.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
zebrad to 4.4.1 or later; zebra-script to 6.0.1 or later
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is GHSA-PVMV-CWG8-V6C8? GHSA-PVMV-CWG8-V6C8 is a critical-severity security vulnerability in zebrad (rust), affecting versions < 4.4.1. It is fixed in 4.4.1, 6.0.1.
- Which packages are affected by GHSA-PVMV-CWG8-V6C8?
zebrad(rust) (versions < 4.4.1)zebra-script(rust) (versions < 6.0.1)
- Is there a fix for GHSA-PVMV-CWG8-V6C8? Yes. GHSA-PVMV-CWG8-V6C8 is fixed in 4.4.1, 6.0.1. Upgrade to this version or later.
- Is GHSA-PVMV-CWG8-V6C8 exploitable, and should I be worried? Whether GHSA-PVMV-CWG8-V6C8 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether GHSA-PVMV-CWG8-V6C8 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix GHSA-PVMV-CWG8-V6C8?
- Upgrade
zebradto 4.4.1 or later - Upgrade
zebra-scriptto 6.0.1 or later
- Upgrade