CVE-2026-41584
ZEBRA: rk Identity Point Panic in Transaction Verification
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.3.1 and prior to zebra-chain version 6.0.2, Orchard transactions contain a rk field which is a randomized validating key and also an elliptic curve point. The Zcash specification allows the field to be the identity (a "zero" value), however, the orchard crate which is used to verify Orchard proofs would panic when fed a rk with the identity value. Thus an attacker could send a crafted transaction that would make a Zebra node crash. This issue has been patched in zebrad version 4.3.1 and zebra-chain version 6.0.2.
| CWE | CWE-617 |
| Vendor | zcashfoundation |
| Product | zebra |
| Published | May 8, 2026 |
| Last Updated | May 8, 2026 |
Stay Ahead of the Next One
Get instant alerts for zcashfoundation zebra
Be the first to know when new unknown vulnerabilities affecting zcashfoundation zebra are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
ZcashFoundation / zebra
zebra-chain < 6.0.2 zebrad < 4.3.1