Zcash Foundation issues Zebra 4.4.0 after consensus bugs

The Zcash Foundation released Zebra 4.4.0 on May 2, 2026, to patch five security flaws in Zebra, the Rust-based Zcash node implementation. The Foundation urged all node operators to upgrade without delay.

Three of the vulnerabilities are consensus-critical and could have allowed Zebra nodes to accept blocks or transactions that the legacy zcashd client would reject, creating a risk of divergent chains. The most severe issue, tracked as GHSA-28xj-328h-72vm, could let a remote attacker stop a Zebra node from discovering new blocks using a single connection by exploiting how Zebra shares and downloads peer information. The Foundation wrote the exploit “produced zero misbehavior score, zero bans, and zero disconnections,” making it invisible to standard monitoring and peer-discipline mechanisms.

A second consensus issue, GHSA-jv4h-j224-23cc, caused Zebra to undercount signature operations in a block because its validation ignored two script types: the coinbase input’s scriptSig and P2SH signatures. An attacker could construct a block that passed Zebra’s checks but failed validation on zcashd, creating differing views of the chain.

The third major bug, GHSA-gq4h-3grw-2rhv, resulted from a prior sighash change that left stale data in a temporary buffer exposed through Zebra’s C++ foreign function interface. The Foundation described a scenario in which a valid signature could fill the buffer and a subsequent transaction with an invalid hash type could pass verification using the leftover data. As an interim measure, Zebra now overwrites that buffer with random bytes when a check fails while a permanent fix is prepared.

Two additional fixes address a message-reading routine that could consume excessive memory (GHSA-438q-jx8f-cccv) and a minor verification discrepancy (GHSA-cwfq-rfcr-8hmp) that was unlikely to be exploitable in practice but has been changed to match zcashd behavior. Security researcher Sangsoo-osec is credited with discovering three of the five issues.

The Foundation noted Zebra 4.4.0 contains no other significant changes beyond the security fixes and provided upgrade instructions in its advisory and patch notes. Operators running older Zebra versions remain exposed to all five vulnerabilities, including the block-discovery halt that requires only a single malicious connection to trigger.

The release follows a month of elevated losses across the crypto industry. Security firm CertiK reported roughly $651 million in losses in April 2026, while industry trackers recorded about 28 to 30 separate incidents that month. Two large breaches accounted for most documented losses: a social-engineering exploit that cost Drift Protocol about $285 million on April 1 and a message-spoofing attack on KelpDAO that targeted a LayerZero cross-chain bridge and resulted in roughly $293 million in losses on April 18. None of these incidents targeted Zcash directly.

At the time of the Zebra 4.4.0 release, ZEC traded near $377.46 and Zcash’s market capitalization was about $6.28 billion.