CVE-2026-40880
Published: 21 April 2026
Summary
CVE-2026-40880 is a high-severity Comparison Using Wrong Factors (CWE-1025) vulnerability in Zfnd Zebra-Consensus. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-40880 is a logic error in the transaction verification cache of Zebra, a Zcash node written entirely in Rust. The vulnerability affects zebrad versions prior to 4.3.1 and zebra-consensus versions prior to 5.0.2, enabling a consensus split under specific conditions. It has a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H) and is associated with CWE-1025.
A malicious miner with low privileges can exploit this vulnerability over the network with low complexity and no user interaction. By submitting a transaction valid for block height H+1 but invalid for H+2, and then mining that transaction into a block at height H+2, the attacker causes vulnerable Zebra nodes to accept the invalid block. This leads to a consensus split, where affected nodes diverge from the rest of the Zcash network, compromising integrity and availability.
The vulnerability is fixed in zebrad version 4.3.1 and zebra-consensus version 5.0.2. Additional details on the issue and mitigation are available in the GitHub Security Advisory at https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-xvj8-ph7x-65gf.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-24266
Vulnerability details
ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.3.1 and zebra-consensus version 5.0.2, a logic error in Zebra's transaction verification cache could allow a malicious miner to induce a consensus split. By carefully submitting a…
more
transaction that is valid for height H+1 but invalid for H+2 and then mining that transaction in a block at height H+2, a miner could cause vulnerable Zebra nodes to accept an invalid block, leading to a consensus split from the rest of the Zcash network. This vulnerability is fixed in zebrad version 4.3.1 and zebra-consensus version 5.0.2.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a logic error in the public-facing Zcash node (Zebra) that is directly exploitable over the network by a low-privileged attacker to cause nodes to accept invalid blocks and trigger a consensus split, mapping to exploitation of a public-facing application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Timely flaw remediation by upgrading to zebrad 4.3.1 and zebra-consensus 5.0.2 directly eliminates the transaction verification cache logic error that enables consensus splits.
Vulnerability monitoring and scanning identifies vulnerable Zebra versions affected by CVE-2026-40880, enabling proactive patching before malicious miner exploitation.
Verification of transaction verification security functions ensures the cache logic correctly handles transactions invalid at specific block heights, mitigating acceptance of invalid blocks.