CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad



GHSA-452V-W3GX-72WG

GHSA-452v-w3gx-72wg: Remote Denial of Service via Identity Point Panic in Zebra Zcash Node

Alon Barad
Alon Barad
Software Engineer

Apr 19, 2026·6 min read·10 visits

Executive Summary (TL;DR)

An unauthenticated remote attacker can crash a vulnerable Zebra node by broadcasting a crafted Orchard transaction where the `rk` field is the identity point. This triggers an `.unwrap()` panic in the underlying `orchard` crate, leading to immediate process termination.

The Zebra Zcash node implementation is vulnerable to a critical remote denial-of-service attack due to a logic error in Orchard transaction verification. An unhandled exception occurs when processing the randomized validating key (`rk`) if it is set to the Pallas curve identity point.

Vulnerability Overview

Zebra is a prominent Rust-based implementation of the Zcash node protocol developed by the Zcash Foundation. The node handles complex cryptographic validations for shielded transactions, specifically utilizing the Orchard protocol. Orchard transactions require rigorous verification of zero-knowledge proofs to maintain ledger integrity and privacy.

Vulnerability GHSA-452v-w3gx-72wg represents a critical denial-of-service condition affecting all Zebra node versions prior to 4.3.1. The flaw resides in the handling of the randomized validating key, denoted as rk, within the Orchard bundle of a Zcash transaction. When a malicious transaction supplies a specific mathematical edge case for this key, it triggers an unhandled exception in the underlying cryptography libraries.

The vulnerability is classified as CWE-248: Uncaught Exception. Exploitation requires no authentication, user interaction, or elevated privileges, allowing an attacker to remotely crash nodes by broadcasting a single crafted transaction over the peer-to-peer network.

Root Cause Analysis

The root cause originates in the orchard Rust crate, specifically within the circuits.rs file responsible for verifying Orchard signatures. The randomized validating key rk is represented mathematically as an elliptic curve point on the Pallas curve. The specification originally allowed the identity point, a theoretical zero value in the elliptic curve group, to be passed as a valid rk value.

To perform signature verification, the node must convert the rk point into its affine coordinates, denoted as (x, y). The identity point is the point at infinity and fundamentally lacks finite affine coordinates. When the extraction function is called on the identity point, it correctly returns an Option type containing None.

A logic error exists where the developer assumed the extraction function would always return Some coordinate pair. The code appends .unwrap() to the extraction call. In Rust, calling .unwrap() on a None value immediately triggers a fatal panic, terminating the entire node process.

This panic bypasses all graceful error handling mechanisms within the Zebra node. Because the transaction validation occurs on the main or heavily relied-upon worker threads, the panic results in instantaneous node termination.

Code Analysis

The vulnerable pattern in the orchard crate involves blind coordinate extraction. The exact flawed logic operates on the Pallas curve point structure, executing an unwrap operation on an expected Option or Result type.

// Representative vulnerable logic pattern in orchard crate
let rk_point = parse_point(transaction.rk);
let (x, y) = rk_point.to_affine().unwrap(); // Panics if rk_point is identity
verify_signature(x, y, signature);

Addressing the issue by modifying the orchard crate directly posed coordination risks and potential early disclosure. The Zebra development team opted to implement the fix at the transaction parsing boundary. The patched code intercepts the transaction during deserialization and validates the rk value before it ever reaches the orchard crate.

The patch introduces an explicit check against the Pallas curve identity point. If the rk value evaluates to the identity point, the Zebra node rejects the transaction outright with a defined error state.

// Patched parsing logic in zebra-chain
let rk_point = parse_point(transaction.rk);
if bool::from(rk_point.is_identity()) {
    return Err(TransactionError::InvalidOrchardRk);
}
// Proceed to safe verification

Exploitation

An attacker exploits this vulnerability by constructing a malicious Zcash transaction containing an Orchard shielded bundle. The attacker sets the rk field within this bundle to the encoded representation of the Pallas curve identity point. The remainder of the transaction does not need to be mathematically sound, provided it bypasses initial pre-flight checks.

Once constructed, the attacker broadcasts the transaction to the Zcash peer-to-peer network. The attack requires no special network position, as standard node gossip protocols will propagate the malicious transaction to vulnerable Zebra nodes.

When a vulnerable node receives the transaction into its mempool, it begins the verification process. The parsing phase passes the malformed rk to the orchard crate, triggering the unwrap panic and immediately crashing the node.

A variant of this attack involves mining the malicious transaction into a block using a custom or non-vulnerable mining setup. If the transaction is embedded in the blockchain, any vulnerable Zebra node attempting to sync that block will deterministically crash. This creates a persistent denial-of-service condition, rendering the node permanently incapable of syncing past that specific block height.

Impact Assessment

The denial-of-service impact is critical, carrying a CVSS 4.0 score of 8.7. The vulnerability allows remote attackers to unconditionally terminate the zebrad process on demand. Because the exploit relies solely on standard network communication, the attack surface encompasses the entire public Zcash network running vulnerable software.

Immediate node crashes disrupt active services relying on the node, including wallets, exchanges, and block explorers. In a transient attack via the mempool, the node operator can restart the service, but the node remains vulnerable to repeated broadcasts.

The highest impact scenario involves a malicious miner embedding the trigger transaction into the permanent ledger. This action forces all vulnerable nodes into a persistent crash loop upon block synchronization. Such an event fractures network consensus, as Zebra nodes fail to progress while updated nodes or different implementations continue processing the chain.

Remediation

The immediate mitigation requires all node operators to upgrade to Zebra version 4.3.1. This release contains the parsing-layer checks that safely reject identity rk values without invoking the vulnerable code path in the orchard crate.

No effective configuration workarounds exist for prior versions. The vulnerability triggers during fundamental transaction processing, which cannot be disabled without rendering the node non-functional on the Zcash network.

In parallel with the software patch, the Zcash Foundation and the developers of zcashd coordinated a formal update to the Zcash protocol specification. The specification now explicitly forbids the use of the identity point as a valid randomized validating key across all implementations.

Security operations teams should monitor system logs for unexpected process terminations associated with the Zebra node. Specifically, logging systems should alert on Rust panics originating from the orchard crate or circuits.rs, as these strongly indicate an active exploitation attempt against unpatched infrastructure.

Technical Appendix

CVSS Score
8.7/ 10
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H

Affected Systems

Zebra (zebrad)Zebra (zebra-chain)Zcash network nodes

Affected Versions Detail

Product
Affected Versions
Fixed Version
Zebra
Zcash Foundation
< 4.3.14.3.1
AttributeDetail
CWE IDCWE-248
Attack VectorNetwork
CVSS 4.08.7
ImpactDenial of Service
Exploit Statusnone
KEV StatusNot Listed

MITRE ATT&CK Mapping

T1498Network Denial of Service
Impact
T1499Endpoint Denial of Service
Impact
CWE-248
Uncaught Exception

Panic due to .unwrap() on a None value when extracting coordinates.

Vulnerability Timeline

Zebra v4.3.1 Released
2026-04-17
Advisory Published
2026-04-18

References & Sources

  • [1]GitHub Security Advisory GHSA-452v-w3gx-72wg
  • [2]Official Zebra Release v4.3.1
  • [3]Zcash Community Forum Announcement
  • [4]OSV Record

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.

More Reports

•about 18 hours ago•GHSA-8RQH-VXPR-X77P
4.3

GHSA-8RQH-VXPR-X77P: Stored Cross-Site Scripting via MIME Type Spoofing in Plone REST API

A stored Cross-Site Scripting (XSS) vulnerability exists within plone.restapi, the REST API package for Plone content management system. By supplying a spoofed input MIME type (text/x-html-safe), an attacker can mislead the rendering layer (plone.app.textfield) into assuming that the supplied content is already sanitized. This causes the system to skip the safe_html transform, allowing arbitrary JavaScript to execute in the victim's browser when they view the compromised page.

Amit Schendel
Amit Schendel
6 views•7 min read
•about 19 hours ago•CVE-2026-11400
8.0

CVE-2026-11400: Privilege Escalation via Untrusted Search Path in AWS Advanced JDBC Wrapper

An untrusted search path vulnerability in the GlobalDatabasePlugin component of the AWS Advanced JDBC Wrapper for Amazon Aurora PostgreSQL allows authenticated, low-privilege database users to hijack administrative session queries. By defining a custom function in a writable schema such as the public schema, an attacker can hijack queries executed automatically during driver-level topology detection. When a highly privileged database user connects to the database utilizing an affected version of the wrapper, the custom function executes under their security context, enabling remote privilege escalation to rds_superuser.

Alon Barad
Alon Barad
7 views•6 min read
•about 20 hours ago•CVE-2026-27771
8.2

CVE-2026-27771: Authentication Bypass and Information Disclosure in Gitea Container and Composer Registries

CVE-2026-27771 represents a critical security flaw in Gitea and Forgejo (up to and including version 1.26.1) involving missing authorization checks (CWE-862). Unauthenticated remote attackers can query, enumerate, and download private container images from the OCI-compliant container registry. Additionally, unauthorized users can retrieve private or internal source repository URLs via the Composer package registry metadata API. A public proof-of-concept exists, and threat metrics indicate highly active scanning and exploitation risks.

Alon Barad
Alon Barad
7 views•7 min read
•about 21 hours ago•GHSA-CVPC-HCCG-WMW4
8.8

GHSA-CVPC-HCCG-WMW4: Missing Authorization in Formie Administrative Settings Allows Privilege Escalation

A missing authorization vulnerability in the Formie plugin for Craft CMS prior to version 3.1.28 allows low-privileged Control Panel users to read and modify sensitive administrative settings, configuration options, and third-party integrations.

Amit Schendel
Amit Schendel
5 views•6 min read
•about 22 hours ago•CVE-2026-53598
7.5

CVE-2026-53598: Arbitrary File Read via File Reference Expansion in Microsoft Prompty

CVE-2026-53598 is a directory traversal and arbitrary file read vulnerability in Microsoft Prompty ecosystem loaders across multiple languages. Prior to version 2.0.0-beta.2, the loaders resolved `${file:...}` reference strings inside frontmatter configuration blocks without enforcing that the target file paths resided within authorized directories. This deficiency allows an attacker-controlled configuration file to read sensitive operating system and application files through absolute paths, directory traversal, or symbolic link escapes. The issue is addressed across the Python, C#, Node.js/TypeScript, and Rust ecosystems.

Amit Schendel
Amit Schendel
7 views•6 min read
•about 23 hours ago•GHSA-MFR4-MQ8W-VMG6
7.3

GHSA-MFR4-MQ8W-VMG6: Path Traversal in proot-distro copy Command Allows Container Escape

A directory traversal vulnerability exists in the copy subcommand of the proot-distro utility. Due to incomplete path sanitization, local attackers or malicious scripts can read from or write to arbitrary files outside the container rootfs, bypassing isolation barriers and potentially gaining unauthorized access or persistent execution on the host system.

Alon Barad
Alon Barad
7 views•7 min read