Cyber Resilience

CVE-2026-41583

Critical

Published: 08 May 2026

Published
08 May 2026
Modified
08 May 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0028 19.6th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-41583 is a critical-severity Improper Following of Specification by Caller (CWE-573) vulnerability in Zfnd Zebra-Script. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 19.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.3.1 and prior to zebra-script version 5.0.2, after a refactoring, Zebra failed to validate a consensus rule that restricted the possible values of sighash hash types for…

more

V5 transactions which were enabled in the NU5 network upgrade. Zebra nodes could thus accept and eventually mine a block that would be considered invalid by zcashd nodes, creating a consensus split between Zebra and zcashd nodes. In a similar vein, for V4 transactions, Zebra mistakenly used the "canonical" hash type when computing the sighash while zcashd (correctly per the spec) uses the raw value, which could also crate a consensus split. This issue has been patched in zebrad version 4.3.1 and zebra-script version 5.0.2.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Vulnerability in public-facing Zcash node allows crafted V4/V5 transactions to bypass consensus checks, enabling acceptance of invalid blocks.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-44498Same product: Zfnd Zebrad
CVE-2026-44497Same product: Zfnd Zebra-Script
CVE-2026-40880Same product: Zfnd Zebrad
CVE-2026-41584Same product: Zfnd Zebrad
CVE-2026-34377Same vendor: Zfnd
CVE-2026-40881Same product: Zfnd Zebrad
CVE-2026-34202Same vendor: Zfnd
CVE-2026-28498Shared CWE-573

Affected Assets

zfnd
zebra-script
≤ 5.0.2
zfnd
zebrad
≤ 4.3.1

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References