We are releasing Zebra 4.3.0 today. This release contains critical security fixes and all node operators are strongly encouraged to upgrade immediately.
In addition to the security patches, this release introduces support for the Network Sustainability Mechanism (ZIP-235), improves developer tooling for performance profiling, and resolves several other bugs.
Security Advisories
CVE-2026-34202: Remote Denial of Service via Crafted V5 Transactions (Critical, CVSS 9.2)
A vulnerability in Zebra’s transaction processing logic allows a remote, unauthenticated attacker to crash a Zebra node by sending a specially crafted V5 transaction that passes initial deserialization but triggers a panic during transaction ID calculation. The fix ensures such transactions are rejected during initial deserialization and replaces internal panics with graceful error handling.
CVE-2026-34377: Consensus Failure via Crafted V5 Authorization Data (High, CVSS 8.4)
A logic error in Zebra’s transaction verification cache could allow a malicious miner to induce a consensus split by matching a valid transaction’s txid while providing invalid authorization data. This would not allow invalid transactions to be accepted, but could result in a chain fork isolating affected nodes. The fix ensures verification is only skipped when full transaction integrity — including authorization data — is validated against the mempool entry.
Security Fixes
This release addresses two vulnerabilities in Zebra’s transaction verification and deserialization logic. We are disclosing them here so that node operators understand the urgency of upgrading.
V5 Transaction Proof Verification Bypass
A bug in Zebra’s consensus logic allowed V5 transactions to be automatically marked as verified based solely on their mined transaction IDs, causing full proof verification to be skipped. To be clear, this did not allow invalid transactions to be accepted, the transactions themselves were otherwise valid. However, by skipping proof checks that other node implementations enforce, this inconsistency could have led to a chain split between Zebra nodes and the rest of the network if a transaction with an invalid proof were mined. This has been fixed so that V5 transactions are always subject to complete proof verification regardless of their mined ID status (#10425). Thanks to alexs-scalar for discovering and responsibly disclosing the vulnerability.
Transaction Deserialization Panic
A separate issue was identified where certain transactions could trigger a panic during deserialization when processed through librustzcash. This could potentially be exploited to crash a Zebra node. The fix adds proper validation to ensure that transactions can be safely deserialized before further processing (#10426). Thanks to robustfengbin for responsibly disclosing the vulnerability and working with us to quickly reproduce and remediate it.
Improved Test Coverage
To prevent regressions in this area, the V5 transaction test generator and NU5 branch ID strategy have been updated to provide broader coverage of these edge cases going forward. (#10429)
New Features
Network Sustainability Mechanism (ZIP-235)
This release adds an initial implementation of ZIP-235, the Network Sustainability Mechanism, a key protocol addition for the long-term economic health of the Zcash network. Note that ZIP-235 support is currently disabled by default and gated behind a feature flag. It is not active in production builds at this time, but is available for testing and development. (#10357)
Profiling Documentation and Tooling
A dedicated profiling Cargo profile has been added along with expanded documentation on how to use it. Developers looking to diagnose performance bottlenecks or optimize Zebra’s behavior will find the updated profiling workflow significantly smoother. (#10411)
Other Bug Fixes
Block Propagation on Regtest
A bug was preventing blocks from being properly propagated on the Regtest network. This has been resolved, restoring reliable block propagation for local development and testing. (#10403)
Pre-Canopy Block Subsidy Calculation
The getblocksubsidy RPC was not correctly computing miner rewards for blocks prior to the Canopy network upgrade, it failed to subtract the Founders’ Reward from the block subsidy. This is now handled correctly. (#10338)
Testnet Performance Regression
A performance regression on Testnet caused Zebra to consume an entire CPU thread unnecessarily due to repeated parsing of checkpoints. The fix caches parsed checkpoints, eliminating the redundant work. (#10409)
Upgrading
We strongly recommend all Zebra node operators upgrade to 4.3.0 as soon as possible, particularly due to the security fixes described above. You can find the release on GitHub.
Thank You to Our Contributors
This release was made possible by the work of @arya2, @conradoplg, @gustavovalverde, @judah-caruso, @nuttycom, @oxarbitrage, and @upbqdn. Thank you for your continued contributions to Zebra.
Zebra is the Zcash Foundation’s independent, Rust-based implementation of the Zcash protocol. Learn more at github.com/ZcashFoundation/zebra.
