CVE-2026-44497— ZEBRA: Consensus Divergence in Transparent Sighash Hash-Type Handling due to Stale Buffer
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-44497
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
ZEBRA: Consensus Divergence in Transparent Sighash Hash-Type Handling due to Stale Buffer
Source: NVD (National Vulnerability Database)
Vulnerability Description
ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.4.0 and prior to zebra-script version 6.0.0, the fix for CVE-2026-41583 introduced a separate issue due to insufficient error handling of the case where the sighash type is invalid, during sighash computation. Instead of returning an error, the normal flow would resume, and the input sighash buffer would be left untouched. In scenarios where a previous signature validation could leave a valid sighash in the buffer, an invalid hash-type could be incorrectly accepted, which would create a consensus split between Zebra and zcashd nodes. This issue has been patched in zebrad version 4.4.0 and zebra-script version 6.0.0.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
密码学签名的验证不恰当
Source: NVD (National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| ZcashFoundation | zebra | zebra-script < 6.0.0 | - |
II. Public POCs for CVE-2026-44497
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-44497
Please Login to view more intelligence information
Same Patch Batch · ZcashFoundation · 2026-05-08 · 7 CVEs total
| CVE-2026-44500 | 5.3 MEDIUM | ZEBRA: Allocation Amplification in Inbound Network Deserializers |
| CVE-2026-41585 | ZEBRA: Denial of Service via Interrupted JSON-RPC Requests from Authenticated Clients | |
| CVE-2026-41583 | ZEBRA: Consensus Divergence in Transparent Sighash Hash-Type Handling | |
| CVE-2026-41584 | ZEBRA: rk Identity Point Panic in Transaction Verification | |
| CVE-2026-44498 | ZEBRA: Block Validator Undercounts Coinbase and P2SH Sigops | |
| CVE-2026-44499 | ZEBRA: Permanent Block Discovery Halt via Gossip Queue Saturation and Syncer Poisoning |
IV. Related Vulnerabilities
Same product: zebra
- CVE-2026-44499
ZEBRA: Permanent Block Discovery Halt via Gossip Queue Satur - CVE-2026-44500
ZEBRA: Allocation Amplification in Inbound Network Deseriali - CVE-2026-44498
ZEBRA: Block Validator Undercounts Coinbase and P2SH Sigops - CVE-2026-41585
ZEBRA: Denial of Service via Interrupted JSON-RPC Requests f - CVE-2026-41584
ZEBRA: rk Identity Point Panic in Transaction Verification
Same vendor: ZcashFoundation
- CVE-2026-44499
ZEBRA: Permanent Block Discovery Halt via Gossip Queue Satur - CVE-2026-44500
ZEBRA: Allocation Amplification in Inbound Network Deseriali - CVE-2026-44498
ZEBRA: Block Validator Undercounts Coinbase and P2SH Sigops - CVE-2026-41585
ZEBRA: Denial of Service via Interrupted JSON-RPC Requests f - CVE-2026-41584
ZEBRA: rk Identity Point Panic in Transaction Verification
Same weakness: CWE-347
- CVE-2026-42193
Plunk: SNS webhook forgery - CVE-2026-41669
Admidio: SAML Signature Validation Result Ignored — Forged A - CVE-2026-7689
Dolibarr ERP CRM Online Signature security.lib.php dol_verif - CVE-2026-33467
Improper Verification of Cryptographic Signature in Elastic - CVE-2026-6986
Cesanta Mongoose GCM Authentication Tag tls_aes128.c mg_aes_
V. Comments for CVE-2026-44497
No comments yet