CVE-2026-44497 - Zebra has Consensus Divergence in Transparent Sighash Hash-Type Handling due to
CVE-2026-44497 - Zebra has Consensus Divergence in Transparent Sighash Hash-Type Handling due to
GHSA-gq4h-3grw-2rhv CRITICAL rust/zebra-script
CVE: CVE-2026-44497
CVE-2026-44497: Consensus Divergence in Transparent Sighash Hash-Type Handling due to Stale Buffer
Summary
The fix for https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-8m29-fpq5-89jj introduced a separate issue due to insuficient error handling of the case where the sighash type is invalid, during sighash computation. Instead of returning an error, the normal flow would resume, and the input sighash buffer would be left untouched. In scenarios where a previous signature validation could leave a valid sighash in the buffer, an invalid hash-type could be incorrectly accepted, which would create a consensus split between Zebra and zcashd nodes.
Severity
Critical - This is a Consensus Vulnerability that could allow a malicious party to induce network partitioning, service disruption, and potential double-spend attacks against affected nodes.
Note that the impact is currently alleviated by the fact that currently most miners run zcashd.
Affected Versions
Zebra 4.3.1.
Description
Verification of transparent transactions inherits the Bitcoin Script verification code in C++, called from Zebra through a foreign function interface (FFI) with a Rust callback that computes the sighash. The fix for https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-8m29-fpq5-89jj added the missing V5 hash-type consensus check on the Rust side, returning None for undefined hash types. However, the FFI bridge only writes to the C++ sighash buffer when the callback returns Some, and the C++ checker reads that buffer unconditionally, so the failure signal is lost.
An attacker could exploit this by:
- Constructing a transparent output spent by a script that runs a valid
OP_CHECKSIGVERIFYimmediately before anOP_CHECKSIGwith an undefined hash type. - The first opcode primes the C++ sighash buffer with a valid digest; the second causes Zebra's callback to return
Nonewhile the C++ checker verifies the invalid signature against
📌 来源: GitHub-Advisory | 🆔 CVE-2026-44497 | 📅 2026-05-07