CVE 9.2 CRITICAL

ZEBRA: Block Validator Undercounts Coinbase and P2SH Sigops_CVE-2026-44498

May 8, 2026 invoker category_cve

9.2 / 10

CRITICAL

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N

Description

ZEBRA is a Zcash node written entirely in Rust. Prior to version 4.4.0, Zebra's block validator undercounts transparent signature operations against the 20000-sigop block limit (MAX_BLOCK_SIGOPS), allowing it to accept blocks that zcashd rejects with bad-blk-sigops. A miner who produces such a block can split the network: Zebra nodes follow the offending chain while zcashd nodes do not. This issue has been patched in version 4.4.0.

AI Analysis

Block validator undercounts transparent signature operations, allowing blocks to be accepted that zcashd rejects, potentially splitting the network.

Basic Information

ID CVE-2026-44498

Source GitHub_M

Published May 8, 2026 at 15:09

Affected Product

Vendor ZcashFoundation

Product zebra

Version < 4.4.0

Affected Versions ZcashFoundation zebra < 4.4.0

CWE Classification

CWE-682

AI Assessment

AI Score 9.2 / 10

AI Severity Critical

Vendor ZcashFoundation

Product Zebra

Version < 4.4.0

References

{
    "lastseen": "",
    "description": "ZEBRA is a Zcash node written entirely in Rust. Prior to version 4.4.0, Zebra's block validator undercounts transparent signature operations against the 20000-sigop block limit (MAX_BLOCK_SIGOPS), allowing it to accept blocks that zcashd rejects with bad-blk-sigops. A miner who produces such a block can split the network: Zebra nodes follow the offending chain while zcashd nodes do not. This issue has been patched in version 4.4.0.",
    "published": "2026-05-08T15:09:09.919Z",
    "modified": "2026-05-08T15:09:09.919Z",
    "type": "cve",
    "title": "ZEBRA: Block Validator Undercounts Coinbase and P2SH Sigops",
    "source": "GitHub_M",
    "references": "https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-jv4h-j224-23cc\nhttps://github.com/ZcashFoundation/zebra/releases/tag/v4.4.0",
    "id": "CVE-2026-44498",
    "bulletinFamily": "",
    "cwe": [
        "CWE-682"
    ],
    "cvelist": null,
    "sourceData": "ZcashFoundation zebra < 4.4.0",
    "sourceHref": "",
    "cvss": {
        "score": 9.2,
        "severity": "CRITICAL",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "zebra",
    "version": "< 4.4.0",
    "vendor": "ZcashFoundation",
    "ai_description": "Block validator undercounts transparent signature operations, allowing blocks to be accepted that zcashd rejects, potentially splitting the network.",
    "ai_severity": "Critical",
    "ai_vendor": "ZcashFoundation",
    "ai_product": "Zebra",
    "ai_version": "< 4.4.0",
    "ai_score": 9.2
}

💭 Join the Security Discussion ❌ Cancel Reply