CVE-2026-34202
Published: 31 March 2026
Summary
CVE-2026-34202 is a high-severity Code Injection (CWE-94) vulnerability in Zfnd Zebra. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 35.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-11 (Error Handling).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely identification, reporting, and correction of the specific flaw in Zebra's transaction processing logic, enabling patching to versions 4.3.0 and 6.0.1 as recommended.
Mandates secure error handling to prevent panics and crashes during transaction ID calculation failures from specially crafted V5 transactions.
Enforces validation of incoming V5 transactions at network interfaces to block malformed inputs that pass deserialization but trigger ID calculation failures.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables remote exploitation of public-facing Zebra node (T1190) via crafted transaction input, directly causing application crash and denial of service (T1499.004).
NVD Description
ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.3.0 and zebra-chain version 6.0.1, a vulnerability in Zebra's transaction processing logic allows a remote, unauthenticated attacker to cause a Zebra node to panic (crash). This is…
more
triggered by sending a specially crafted V5 transaction that passes initial deserialization but fails during transaction ID calculation. This issue has been patched in zebrad version 4.3.0 and zebra-chain version 6.0.1.
Deeper analysisAI
CVE-2026-34202 is a vulnerability in Zebra, a Zcash node implementation written entirely in Rust, affecting zebrad versions prior to 4.3.0 and zebra-chain versions prior to 6.0.1. The flaw resides in Zebra's transaction processing logic, where a specially crafted V5 transaction can pass initial deserialization but trigger a failure during transaction ID calculation, causing the node to panic and crash. It is associated with CWEs-94 (code injection), CWE-1336, and CWE-502 (deserialization of untrusted data), and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
A remote, unauthenticated attacker can exploit this vulnerability by sending the malicious V5 transaction to a vulnerable Zebra node over the network. Successful exploitation results in a denial-of-service condition, as the node crashes due to the panic, disrupting its availability for transaction validation and blockchain synchronization without impacting confidentiality or integrity.
The issue has been patched in zebrad version 4.3.0 and zebra-chain version 6.0.1. Security advisories recommend immediate upgrading to these fixed versions to mitigate the risk. Additional details are available in the GitHub release notes (https://github.com/ZcashFoundation/zebra/releases/tag/v4.3.0), the security advisory (https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-qp6f-w4r3-h8wg), and the Zcash Foundation announcement (https://zfnd.org/zebra-4-3-0-critical-security-fixes-zip-235-support-and-performance-improvements).
Details
- CWE(s)