CVE-2026-35679

Description

Zcash zcashd before 6.12.0 allows invalid transactions to be accepted under certain conditions, which potentially could have resulted in the draining of user funds from the Sprout pool. It was sometimes not verifying Sprout proofs.

CVSS Details

CVSS Score

3.5

Severity

LOW

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Zcash zcashd < 6.12.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# Proof of Concept for CVE-2026-35679
# This script demonstrates the logic of sending a raw transaction
# that might bypass Sprout proof verification in vulnerable zcashd nodes.
import json
import requests

# Target vulnerable node RPC endpoint (Example)
RPC_URL = "http://127.0.0.1:8232"
RPC_USER = "user"
RPC_PASS = "pass"

def send_raw_transaction(raw_hex):
    headers = {'content-type': 'application/json'}
    payload = {
        "method": "sendrawtransaction",
        "params": [raw_hex],
        "jsonrpc": "2.0",
        "id": "poc_cve_2026_35679"
    }
    try:
        response = requests.post(
            RPC_URL,
            auth=(RPC_USER, RPC_PASS),
            data=json.dumps(payload),
            headers=headers
        )
        return response.json()
    except Exception as e:
        return str(e)

# Note: Actual exploitation requires crafting a specific raw hex transaction
# that triggers the proof bypass logic. This is a placeholder for the mechanism.
# malicious_tx_hex = "04000080... (crafted invalid sprout tx)"
# print(send_raw_transaction(malicious_tx_hex))

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-35679
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-35679
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-35679/
[4] VulDB https://vuldb.com/cve/CVE-2026-35679
[5] https://github.com/zcash/zcash/commit/db969c63f48f0f9fc518112ed0b7ace1af78b9d0
[6] https://github.com/zcash/zcash/releases/tag/v6.12.0

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-35679", "sourceIdentifier": "[email protected]", "published": "2026-04-05T22:16:01.193", "lastModified": "2026-05-19T18:14:16.780", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Zcash zcashd before 6.12.0 allows invalid transactions to be accepted under certain conditions, which potentially could have resulted in the draining of user funds from the Sprout pool. It was sometimes not verifying Sprout proofs."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N", "baseScore": 3.5, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-358"}]}], "references": [{"url": "https://github.com/zcash/zcash/commit/db969c63f48f0f9fc518112ed0b7ace1af78b9d0", "source": "[email protected]"}, {"url": "https://github.com/zcash/zcash/releases/tag/v6.12.0", "source": "[email protected]"}]}}