CVE-2026-34377
Published: 31 March 2026
Summary
CVE-2026-34377 is a high-severity Improper Verification of Cryptographic Signature (CWE-347) vulnerability in Zfnd Zebra. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates timely remediation of the transaction verification cache logic error through patching to zebrad 4.3.0 and zebra-consensus 5.0.1, preventing acceptance of invalid blocks.
Requires monitoring security alerts, advisories, and directives such as the Zebra GHSA-3vmh-33xr-9cqh and Zcash Foundation announcement to identify and address this CVE promptly.
Provides vulnerability scanning and monitoring to identify deployments of vulnerable Zebra versions affected by CVE-2026-34377 prior to malicious exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a logic error in a publicly accessible Zcash node (Zebra) that allows a remote attacker to send a crafted block with invalid data, which is accepted due to the cache mismatch. This directly matches exploitation of a public-facing application over the network (T1190).
NVD Description
ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.3.0 and zebra-consensus version 5.0.1, a logic error in Zebra's transaction verification cache could allow a malicious miner to induce a consensus split. By matching a valid…
more
transaction's txid while providing invalid authorization data, a miner could cause vulnerable Zebra nodes to accept an invalid block, leading to a consensus split from the rest of the Zcash network. This would not allow invalid transactions to be accepted but could result in a consensus split between vulnerable Zebra nodes and invulnerable Zebra and Zcashd nodes. This issue has been patched in zebrad version 4.3.0 and zebra-consensus version 5.0.1.
Deeper analysisAI
CVE-2026-34377 is a logic error in the transaction verification cache of Zebra, a Zcash node implementation written entirely in Rust. The vulnerability affects zebrad versions prior to 4.3.0 and zebra-consensus versions prior to 5.0.1. It stems from CWE-347 (Incorrect Comparison) and has a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H), indicating high severity due to network accessibility, low attack complexity, and significant integrity and availability impacts.
A malicious miner with low privileges can exploit this issue by crafting a block that includes a transaction matching the txid of a valid transaction but with invalid authorization data. Vulnerable Zebra nodes would accept this invalid block due to the cache mismatch, resulting in a consensus split where affected nodes diverge from the main Zcash network, including invulnerable Zebra nodes and Zcashd implementations. While invalid transactions themselves are not accepted, the split disrupts network synchronization and could enable chain reorganization attacks by the miner.
Patches addressing this vulnerability are available in zebrad version 4.3.0 and zebra-consensus version 5.0.1. Security practitioners running Zebra nodes should upgrade immediately, as detailed in the GitHub release notes (https://github.com/ZcashFoundation/zebra/releases/tag/v4.3.0), the Zebra security advisory (https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-3vmh-33xr-9cqh), and the Zcash Foundation announcement (https://zfnd.org/zebra-4-3-0-critical-security-fixes-zip-235-support-and-performance-improvements).
Details
- CWE(s)