## CVE-2026-34202: Remote Denial of Service Vulnerability (Crafted V5 Transaction) ### Vulnerability Overview A vulnerability exists in Zebra's transaction processing logic, allowing remote unauthenticated attackers to crash Zebra nodes (panic) by sending specially crafted V5 transactions. These transactions pass initial deserialization but fail during the transaction ID calculation phase. **Root Cause**: Zebra delays validation of transaction fields in the `librustzcash` parsing logic. When calculating V5 transaction IDs and auth digests, a panic is triggered if the calculation fails. **Attack Vector**: Send a single crafted `tx` message to a Zebra node's public P2P port, or trigger via the `sendrawtransaction` RPC method. ### Affected Scope | Component | Affected Versions | Fixed Version | |:---|:---|:---| | zebra-chain (Rust) | < 6.0.1 | 6.0.1 | | zebrad (Rust) | < 4.3.0 | 4.3.0 | - All Zebra versions supporting V5 transactions (Network Upgrade 5 and later) below version 4.3.0 - Any node with open P2P ports (default 8233) or exposed RPC interfaces is affected **CVSS v4 Score**: 9.2/10 (Critical) ### Remediation 1. **Upgrade immediately** to Zebra 4.3.0 or higher 2. **If immediate upgrade is not possible**: - Ensure RPC ports are not exposed to the internet - Note: P2P ports must remain open or be restricted to trusted nodes, otherwise node synchronization capabilities may be affected **Fix Principle**: Ensure all transactions that would cause TxID calculation failures are rejected during the initial deserialization phase, and replace internal panics with graceful error handling. ### Acknowledgments - **Discoverer**: robustfungiblein - **Fix Developers**: arya2, upbqdn - **Fix Reviewer**: conradoplg - **Analysis**: alchemycad