CVE-2026-34377 Vulnerability Analysis & Exploit Details

CVE-2026-34377 Vulnerability Summary

CVE-2026-34377: ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.3.0 and zebra-consensus version 5.0.1, a logic error in Zebra's transaction verification cache could allow a malicious miner to induce a consensus split. By matching a valid transaction's txid while providing invalid authorization data, a miner could cause vulnerable Zebra nodes to accept an invalid block, leading to a consensus split from the rest of the Zcash network. This would not allow invalid transactions to be accepted but could result in a consensus split between vulnerable Zebra nodes and invulnerable Zebra and Zcashd nodes. This issue has been patched in zebrad version 4.3.0 and zebra-consensus version 5.0.1.

CVE-2026-34377 References

External References

• https://github.com/ZcashFoundation/zebra/releases/tag/v4.3.0
• https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-3vmh-33xr-9cqh
• https://zfnd.org/zebra-4-3-0-critical-security-fixes-zip-235-support-and-performance-improvements

CWE Common Weakness Enumeration

CAPEC Common Attack Pattern Enumeration and Classification

• Padding Oracle Crypto Attack CAPEC-463 An adversary is able to efficiently decrypt data without knowing the decryption key if a target system leaks data on whether or not a padding error happened while decrypting the ciphertext. A target system that leaks this type of information becomes the padding oracle and an adversary is able to make use of that oracle to efficiently decrypt data without knowing the decryption key by issuing on average 128*b calls to the padding oracle (where b is the number of bytes in the ciphertext block). In addition to performing decryption, an adversary is also able to produce valid ciphertexts (i.e., perform encryption) by using the padding oracle, all without knowing the encryption key.
• Signature Spoofing by Improper Validation CAPEC-475 An adversary exploits a cryptographic weakness in the signature verification algorithm implementation to generate a valid signature without knowing the key.

Vulnerable Configurations

• cpe:2.3:a:zfnd:zebra:1.0.0:-:*:*:*:rust:*:*
  cpe:2.3:a:zfnd:zebra:1.0.0:-:*:*:*:rust:*:*
• cpe:2.3:a:zfnd:zebra:1.0.0:rc0:*:*:*:rust:*:*
  cpe:2.3:a:zfnd:zebra:1.0.0:rc0:*:*:*:rust:*:*
• cpe:2.3:a:zfnd:zebra:1.0.0:rc1:*:*:*:rust:*:*
  cpe:2.3:a:zfnd:zebra:1.0.0:rc1:*:*:*:rust:*:*
• cpe:2.3:a:zfnd:zebra:1.0.0:rc2:*:*:*:rust:*:*
  cpe:2.3:a:zfnd:zebra:1.0.0:rc2:*:*:*:rust:*:*
• cpe:2.3:a:zfnd:zebra:1.0.0:rc3:*:*:*:rust:*:*
  cpe:2.3:a:zfnd:zebra:1.0.0:rc3:*:*:*:rust:*:*
• cpe:2.3:a:zfnd:zebra:1.0.0:rc4:*:*:*:rust:*:*
  cpe:2.3:a:zfnd:zebra:1.0.0:rc4:*:*:*:rust:*:*
• cpe:2.3:a:zfnd:zebra:1.0.0:rc5:*:*:*:rust:*:*
  cpe:2.3:a:zfnd:zebra:1.0.0:rc5:*:*:*:rust:*:*
• cpe:2.3:a:zfnd:zebra:1.0.0:rc6:*:*:*:rust:*:*
  cpe:2.3:a:zfnd:zebra:1.0.0:rc6:*:*:*:rust:*:*
• cpe:2.3:a:zfnd:zebra:1.0.0:rc7:*:*:*:rust:*:*
  cpe:2.3:a:zfnd:zebra:1.0.0:rc7:*:*:*:rust:*:*
• cpe:2.3:a:zfnd:zebra:1.0.0:rc8:*:*:*:rust:*:*
  cpe:2.3:a:zfnd:zebra:1.0.0:rc8:*:*:*:rust:*:*
• cpe:2.3:a:zfnd:zebra:1.0.0:rc9:*:*:*:rust:*:*
  cpe:2.3:a:zfnd:zebra:1.0.0:rc9:*:*:*:rust:*:*
• cpe:2.3:a:zfnd:zebra:1.0.0:beta0:*:*:*:rust:*:*
  cpe:2.3:a:zfnd:zebra:1.0.0:beta0:*:*:*:rust:*:*
• cpe:2.3:a:zfnd:zebra:1.0.0:beta1:*:*:*:rust:*:*
  cpe:2.3:a:zfnd:zebra:1.0.0:beta1:*:*:*:rust:*:*
• cpe:2.3:a:zfnd:zebra:1.0.0:beta2:*:*:*:rust:*:*
  cpe:2.3:a:zfnd:zebra:1.0.0:beta2:*:*:*:rust:*:*
• cpe:2.3:a:zfnd:zebra:1.0.0:beta3:*:*:*:rust:*:*
  cpe:2.3:a:zfnd:zebra:1.0.0:beta3:*:*:*:rust:*:*
• cpe:2.3:a:zfnd:zebra:1.0.0:beta4:*:*:*:rust:*:*
  cpe:2.3:a:zfnd:zebra:1.0.0:beta4:*:*:*:rust:*:*
• cpe:2.3:a:zfnd:zebra:1.0.0:beta5:*:*:*:rust:*:*
  cpe:2.3:a:zfnd:zebra:1.0.0:beta5:*:*:*:rust:*:*
• cpe:2.3:a:zfnd:zebra:1.0.0:beta6:*:*:*:rust:*:*
  cpe:2.3:a:zfnd:zebra:1.0.0:beta6:*:*:*:rust:*:*
• cpe:2.3:a:zfnd:zebra:1.0.0:beta7:*:*:*:rust:*:*
  cpe:2.3:a:zfnd:zebra:1.0.0:beta7:*:*:*:rust:*:*
• cpe:2.3:a:zfnd:zebra:1.0.0:beta8:*:*:*:rust:*:*
  cpe:2.3:a:zfnd:zebra:1.0.0:beta8:*:*:*:rust:*:*
• cpe:2.3:a:zfnd:zebra:1.0.0:beta9:*:*:*:rust:*:*
  cpe:2.3:a:zfnd:zebra:1.0.0:beta9:*:*:*:rust:*:*
• cpe:2.3:a:zfnd:zebra:1.0.0:alpha0:*:*:*:rust:*:*
  cpe:2.3:a:zfnd:zebra:1.0.0:alpha0:*:*:*:rust:*:*
• cpe:2.3:a:zfnd:zebra:1.0.0:alpha1:*:*:*:rust:*:*
  cpe:2.3:a:zfnd:zebra:1.0.0:alpha1:*:*:*:rust:*:*
• cpe:2.3:a:zfnd:zebra:1.0.0:alpha10:*:*:*:rust:*:*
  cpe:2.3:a:zfnd:zebra:1.0.0:alpha10:*:*:*:rust:*:*
• cpe:2.3:a:zfnd:zebra:1.0.0:alpha11:*:*:*:rust:*:*
  cpe:2.3:a:zfnd:zebra:1.0.0:alpha11:*:*:*:rust:*:*
• cpe:2.3:a:zfnd:zebra:1.0.0:alpha12:*:*:*:rust:*:*
  cpe:2.3:a:zfnd:zebra:1.0.0:alpha12:*:*:*:rust:*:*
• cpe:2.3:a:zfnd:zebra:1.0.0:alpha13:*:*:*:rust:*:*
  cpe:2.3:a:zfnd:zebra:1.0.0:alpha13:*:*:*:rust:*:*
• cpe:2.3:a:zfnd:zebra:1.0.0:alpha14:*:*:*:rust:*:*
  cpe:2.3:a:zfnd:zebra:1.0.0:alpha14:*:*:*:rust:*:*
• cpe:2.3:a:zfnd:zebra:1.0.0:alpha15:*:*:*:rust:*:*
  cpe:2.3:a:zfnd:zebra:1.0.0:alpha15:*:*:*:rust:*:*
• cpe:2.3:a:zfnd:zebra:1.0.0:alpha16:*:*:*:rust:*:*
  cpe:2.3:a:zfnd:zebra:1.0.0:alpha16:*:*:*:rust:*:*
• cpe:2.3:a:zfnd:zebra:1.0.0:alpha17:*:*:*:rust:*:*
  cpe:2.3:a:zfnd:zebra:1.0.0:alpha17:*:*:*:rust:*:*
• cpe:2.3:a:zfnd:zebra:1.0.0:alpha18:*:*:*:rust:*:*
  cpe:2.3:a:zfnd:zebra:1.0.0:alpha18:*:*:*:rust:*:*
• cpe:2.3:a:zfnd:zebra:1.0.0:alpha19:*:*:*:rust:*:*
  cpe:2.3:a:zfnd:zebra:1.0.0:alpha19:*:*:*:rust:*:*
• cpe:2.3:a:zfnd:zebra:1.0.0:alpha2:*:*:*:rust:*:*
  cpe:2.3:a:zfnd:zebra:1.0.0:alpha2:*:*:*:rust:*:*
• cpe:2.3:a:zfnd:zebra:1.0.0:alpha3:*:*:*:rust:*:*
  cpe:2.3:a:zfnd:zebra:1.0.0:alpha3:*:*:*:rust:*:*
• cpe:2.3:a:zfnd:zebra:1.0.0:alpha4:*:*:*:rust:*:*
  cpe:2.3:a:zfnd:zebra:1.0.0:alpha4:*:*:*:rust:*:*
• cpe:2.3:a:zfnd:zebra:1.0.0:alpha5:*:*:*:rust:*:*
  cpe:2.3:a:zfnd:zebra:1.0.0:alpha5:*:*:*:rust:*:*
• cpe:2.3:a:zfnd:zebra:1.0.0:alpha6:*:*:*:rust:*:*
  cpe:2.3:a:zfnd:zebra:1.0.0:alpha6:*:*:*:rust:*:*
• cpe:2.3:a:zfnd:zebra:1.0.0:alpha7:*:*:*:rust:*:*
  cpe:2.3:a:zfnd:zebra:1.0.0:alpha7:*:*:*:rust:*:*
• cpe:2.3:a:zfnd:zebra:1.0.0:alpha8:*:*:*:rust:*:*
  cpe:2.3:a:zfnd:zebra:1.0.0:alpha8:*:*:*:rust:*:*
• cpe:2.3:a:zfnd:zebra:1.0.0:alpha9:*:*:*:rust:*:*
  cpe:2.3:a:zfnd:zebra:1.0.0:alpha9:*:*:*:rust:*:*
• cpe:2.3:a:zfnd:zebra:1.0.0:beta10:*:*:*:rust:*:*
  cpe:2.3:a:zfnd:zebra:1.0.0:beta10:*:*:*:rust:*:*
• cpe:2.3:a:zfnd:zebra:1.0.0:beta11:*:*:*:rust:*:*
  cpe:2.3:a:zfnd:zebra:1.0.0:beta11:*:*:*:rust:*:*
• cpe:2.3:a:zfnd:zebra:1.0.0:beta12:*:*:*:rust:*:*
  cpe:2.3:a:zfnd:zebra:1.0.0:beta12:*:*:*:rust:*:*
• cpe:2.3:a:zfnd:zebra:1.0.0:beta13:*:*:*:rust:*:*
  cpe:2.3:a:zfnd:zebra:1.0.0:beta13:*:*:*:rust:*:*
• cpe:2.3:a:zfnd:zebra:1.0.0:beta14:*:*:*:rust:*:*
  cpe:2.3:a:zfnd:zebra:1.0.0:beta14:*:*:*:rust:*:*
• cpe:2.3:a:zfnd:zebra:1.0.0:beta15:*:*:*:rust:*:*
  cpe:2.3:a:zfnd:zebra:1.0.0:beta15:*:*:*:rust:*:*
• cpe:2.3:a:zfnd:zebra:1.0.1:*:*:*:*:rust:*:*
  cpe:2.3:a:zfnd:zebra:1.0.1:*:*:*:*:rust:*:*
• cpe:2.3:a:zfnd:zebra:1.1.0:*:*:*:*:rust:*:*
  cpe:2.3:a:zfnd:zebra:1.1.0:*:*:*:*:rust:*:*
• cpe:2.3:a:zfnd:zebra:1.2.0:*:*:*:*:rust:*:*
  cpe:2.3:a:zfnd:zebra:1.2.0:*:*:*:*:rust:*:*
• cpe:2.3:a:zfnd:zebra:1.3.0:*:*:*:*:rust:*:*
  cpe:2.3:a:zfnd:zebra:1.3.0:*:*:*:*:rust:*:*
• cpe:2.3:a:zfnd:zebra:1.4.0:*:*:*:*:rust:*:*
  cpe:2.3:a:zfnd:zebra:1.4.0:*:*:*:*:rust:*:*
• cpe:2.3:a:zfnd:zebra:1.5.0:*:*:*:*:rust:*:*
  cpe:2.3:a:zfnd:zebra:1.5.0:*:*:*:*:rust:*:*
• cpe:2.3:a:zfnd:zebra:1.5.1:*:*:*:*:rust:*:*
  cpe:2.3:a:zfnd:zebra:1.5.1:*:*:*:*:rust:*:*
• cpe:2.3:a:zfnd:zebra:1.5.2:*:*:*:*:rust:*:*
  cpe:2.3:a:zfnd:zebra:1.5.2:*:*:*:*:rust:*:*
• cpe:2.3:a:zfnd:zebra:1.6.0:*:*:*:*:rust:*:*
  cpe:2.3:a:zfnd:zebra:1.6.0:*:*:*:*:rust:*:*
• cpe:2.3:a:zfnd:zebra:1.6.1:*:*:*:*:rust:*:*
  cpe:2.3:a:zfnd:zebra:1.6.1:*:*:*:*:rust:*:*
• cpe:2.3:a:zfnd:zebra:1.7.0:*:*:*:*:rust:*:*
  cpe:2.3:a:zfnd:zebra:1.7.0:*:*:*:*:rust:*:*
• cpe:2.3:a:zfnd:zebra:1.8.0:*:*:*:*:rust:*:*
  cpe:2.3:a:zfnd:zebra:1.8.0:*:*:*:*:rust:*:*
• cpe:2.3:a:zfnd:zebra:1.9.0:*:*:*:*:rust:*:*
  cpe:2.3:a:zfnd:zebra:1.9.0:*:*:*:*:rust:*:*
• cpe:2.3:a:zfnd:zebra:2.0.0:-:*:*:*:rust:*:*
  cpe:2.3:a:zfnd:zebra:2.0.0:-:*:*:*:rust:*:*
• cpe:2.3:a:zfnd:zebra:2.0.0:rc0:*:*:*:rust:*:*
  cpe:2.3:a:zfnd:zebra:2.0.0:rc0:*:*:*:rust:*:*
• cpe:2.3:a:zfnd:zebra:2.0.1:*:*:*:*:rust:*:*
  cpe:2.3:a:zfnd:zebra:2.0.1:*:*:*:*:rust:*:*
• cpe:2.3:a:zfnd:zebra:2.1.0:*:*:*:*:rust:*:*
  cpe:2.3:a:zfnd:zebra:2.1.0:*:*:*:*:rust:*:*
• cpe:2.3:a:zfnd:zebra:2.2.0:*:*:*:*:rust:*:*
  cpe:2.3:a:zfnd:zebra:2.2.0:*:*:*:*:rust:*:*
• cpe:2.3:a:zfnd:zebra:2.3.0:*:*:*:*:rust:*:*
  cpe:2.3:a:zfnd:zebra:2.3.0:*:*:*:*:rust:*:*
• cpe:2.3:a:zfnd:zebra:2.4.0:*:*:*:*:rust:*:*
  cpe:2.3:a:zfnd:zebra:2.4.0:*:*:*:*:rust:*:*
• cpe:2.3:a:zfnd:zebra:2.4.2:*:*:*:*:rust:*:*
  cpe:2.3:a:zfnd:zebra:2.4.2:*:*:*:*:rust:*:*
• cpe:2.3:a:zfnd:zebra:2.5.0:*:*:*:*:rust:*:*
  cpe:2.3:a:zfnd:zebra:2.5.0:*:*:*:*:rust:*:*
• cpe:2.3:a:zfnd:zebra:3.0.0:-:*:*:*:rust:*:*
  cpe:2.3:a:zfnd:zebra:3.0.0:-:*:*:*:rust:*:*
• cpe:2.3:a:zfnd:zebra:3.0.0:rc0:*:*:*:rust:*:*
  cpe:2.3:a:zfnd:zebra:3.0.0:rc0:*:*:*:rust:*:*
• cpe:2.3:a:zfnd:zebra:3.1.0:*:*:*:*:rust:*:*
  cpe:2.3:a:zfnd:zebra:3.1.0:*:*:*:*:rust:*:*
• cpe:2.3:a:zfnd:zebra:4.0.0:*:*:*:*:rust:*:*
  cpe:2.3:a:zfnd:zebra:4.0.0:*:*:*:*:rust:*:*
• cpe:2.3:a:zfnd:zebra:4.1.0:*:*:*:*:rust:*:*
  cpe:2.3:a:zfnd:zebra:4.1.0:*:*:*:*:rust:*:*
• cpe:2.3:a:zfnd:zebra:4.2.0:*:*:*:*:rust:*:*
  cpe:2.3:a:zfnd:zebra:4.2.0:*:*:*:*:rust:*:*
• cpe:2.3:a:zfnd:zebra-consensus:1.0.0:-:*:*:*:rust:*:*
  cpe:2.3:a:zfnd:zebra-consensus:1.0.0:-:*:*:*:rust:*:*
• cpe:2.3:a:zfnd:zebra-consensus:1.0.0:beta25:*:*:*:rust:*:*
  cpe:2.3:a:zfnd:zebra-consensus:1.0.0:beta25:*:*:*:rust:*:*
• cpe:2.3:a:zfnd:zebra-consensus:1.0.0:beta26:*:*:*:rust:*:*
  cpe:2.3:a:zfnd:zebra-consensus:1.0.0:beta26:*:*:*:rust:*:*
• cpe:2.3:a:zfnd:zebra-consensus:1.0.0:beta27:*:*:*:rust:*:*
  cpe:2.3:a:zfnd:zebra-consensus:1.0.0:beta27:*:*:*:rust:*:*
• cpe:2.3:a:zfnd:zebra-consensus:1.0.0:beta28:*:*:*:rust:*:*
  cpe:2.3:a:zfnd:zebra-consensus:1.0.0:beta28:*:*:*:rust:*:*
• cpe:2.3:a:zfnd:zebra-consensus:1.0.0:beta29:*:*:*:rust:*:*
  cpe:2.3:a:zfnd:zebra-consensus:1.0.0:beta29:*:*:*:rust:*:*
• cpe:2.3:a:zfnd:zebra-consensus:1.0.0:beta30:*:*:*:rust:*:*
  cpe:2.3:a:zfnd:zebra-consensus:1.0.0:beta30:*:*:*:rust:*:*
• cpe:2.3:a:zfnd:zebra-consensus:1.0.0:beta31:*:*:*:rust:*:*
  cpe:2.3:a:zfnd:zebra-consensus:1.0.0:beta31:*:*:*:rust:*:*
• cpe:2.3:a:zfnd:zebra-consensus:1.0.0:beta32:*:*:*:rust:*:*
  cpe:2.3:a:zfnd:zebra-consensus:1.0.0:beta32:*:*:*:rust:*:*
• cpe:2.3:a:zfnd:zebra-consensus:1.0.0:beta34:*:*:*:rust:*:*
  cpe:2.3:a:zfnd:zebra-consensus:1.0.0:beta34:*:*:*:rust:*:*
• cpe:2.3:a:zfnd:zebra-consensus:1.0.0:beta35:*:*:*:rust:*:*
  cpe:2.3:a:zfnd:zebra-consensus:1.0.0:beta35:*:*:*:rust:*:*
• cpe:2.3:a:zfnd:zebra-consensus:1.0.0:beta36:*:*:*:rust:*:*
  cpe:2.3:a:zfnd:zebra-consensus:1.0.0:beta36:*:*:*:rust:*:*
• cpe:2.3:a:zfnd:zebra-consensus:1.0.0:beta37:*:*:*:rust:*:*
  cpe:2.3:a:zfnd:zebra-consensus:1.0.0:beta37:*:*:*:rust:*:*
• cpe:2.3:a:zfnd:zebra-consensus:1.0.0:beta38:*:*:*:rust:*:*
  cpe:2.3:a:zfnd:zebra-consensus:1.0.0:beta38:*:*:*:rust:*:*
• cpe:2.3:a:zfnd:zebra-consensus:1.0.0:beta39:*:*:*:rust:*:*
  cpe:2.3:a:zfnd:zebra-consensus:1.0.0:beta39:*:*:*:rust:*:*
• cpe:2.3:a:zfnd:zebra-consensus:1.0.0:beta42:*:*:*:rust:*:*
  cpe:2.3:a:zfnd:zebra-consensus:1.0.0:beta42:*:*:*:rust:*:*
• cpe:2.3:a:zfnd:zebra-consensus:1.0.0:beta43:*:*:*:rust:*:*
  cpe:2.3:a:zfnd:zebra-consensus:1.0.0:beta43:*:*:*:rust:*:*
• cpe:2.3:a:zfnd:zebra-consensus:1.0.0:beta45:*:*:*:rust:*:*
  cpe:2.3:a:zfnd:zebra-consensus:1.0.0:beta45:*:*:*:rust:*:*
• cpe:2.3:a:zfnd:zebra-consensus:1.0.0:beta46:*:*:*:rust:*:*
  cpe:2.3:a:zfnd:zebra-consensus:1.0.0:beta46:*:*:*:rust:*:*
• cpe:2.3:a:zfnd:zebra-consensus:2.0.0:*:*:*:*:rust:*:*
  cpe:2.3:a:zfnd:zebra-consensus:2.0.0:*:*:*:*:rust:*:*
• cpe:2.3:a:zfnd:zebra-consensus:3.0.0:*:*:*:*:rust:*:*
  cpe:2.3:a:zfnd:zebra-consensus:3.0.0:*:*:*:*:rust:*:*
• cpe:2.3:a:zfnd:zebra-consensus:3.1.0:*:*:*:*:rust:*:*
  cpe:2.3:a:zfnd:zebra-consensus:3.1.0:*:*:*:*:rust:*:*
• cpe:2.3:a:zfnd:zebra-consensus:3.1.1:*:*:*:*:rust:*:*
  cpe:2.3:a:zfnd:zebra-consensus:3.1.1:*:*:*:*:rust:*:*
• cpe:2.3:a:zfnd:zebra-consensus:3.1.2:*:*:*:*:rust:*:*
  cpe:2.3:a:zfnd:zebra-consensus:3.1.2:*:*:*:*:rust:*:*
• cpe:2.3:a:zfnd:zebra-consensus:4.0.0:*:*:*:*:rust:*:*
  cpe:2.3:a:zfnd:zebra-consensus:4.0.0:*:*:*:*:rust:*:*
• cpe:2.3:a:zfnd:zebra-consensus:5.0.0:*:*:*:*:rust:*:*
  cpe:2.3:a:zfnd:zebra-consensus:5.0.0:*:*:*:*:rust:*:*

Other 5 Recently Published CVEs Vulnerabilities

• CVE-2026-44364 – MISP modules are autonomous modules that can be used to extend MISP for new services. In 3.0.7 and earlier, a Cross-Site Request Forgery vulnerabil...
• CVE-2026-44363 – MISP modules are autonomous modules that can be used to extend MISP for new services. Prior to 3.0.7, an unsafe remote resource fetching vulnerabil...
• CVE-2026-44351 – fast-jwt provides fast JSON Web Token (JWT) implementation. Prior to 6.2.4, a critical authentication-bypass vulnerability in fast-jwt's async key-...
• CVE-2026-42552 – Flight is an extensible micro-framework for PHP. Prior to 3.18.1, the default error handler Engine::_error() writes the full exception message, exc...
• CVE-2026-42551 – Flight is an extensible micro-framework for PHP. Prior to 3.18.1, Request::getMethod() unconditionally honors the X-HTTP-Method-Override header and...