{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40880", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-15T15:57:41.719Z", "datePublished": "2026-04-21T19:18:22.657Z", "dateUpdated": "2026-04-21T19:52:58.880Z"}, "containers": {"cna": {"title": "Zebra: Cached Mempool Verification Bypasses Consensus Rules for Ahead-of-Tip Blocks", "problemTypes": [{"descriptions": [{"cweId": "CWE-1025", "lang": "en", "description": "CWE-1025: Comparison Using Wrong Factors", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H", "version": "4.0"}}], "references": [{"name": "https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-xvj8-ph7x-65gf", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-xvj8-ph7x-65gf"}], "affected": [{"vendor": "ZcashFoundation", "product": "zebrad", "versions": [{"version": "< 4.3.1", "status": "affected"}]}, {"vendor": "ZcashFoundation", "product": "zebra-consensus", "versions": [{"version": "< 5.0.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T19:18:22.657Z"}, "descriptions": [{"lang": "en", "value": "ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.3.1 and zebra-consensus version 5.0.2, a logic error in Zebra's transaction verification cache could allow a malicious miner to induce a consensus split. By carefully submitting a transaction that is valid for height H+1 but invalid for H+2 and then mining that transaction in a block at height H+2, a miner could cause vulnerable Zebra nodes to accept an invalid block, leading to a consensus split from the rest of the Zcash network. This vulnerability is fixed in zebrad version 4.3.1 and zebra-consensus version 5.0.2."}], "source": {"advisory": "GHSA-xvj8-ph7x-65gf", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-21T19:52:38.860835Z", "id": "CVE-2026-40880", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T19:52:58.880Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40880", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-21T19:52:38.860835Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T19:52:54.543Z"}}], "cna": {"title": "Zebra: Cached Mempool Verification Bypasses Consensus Rules for Ahead-of-Tip Blocks", "source": {"advisory": "GHSA-xvj8-ph7x-65gf", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "ZcashFoundation", "product": "zebrad", "versions": [{"status": "affected", "version": "< 4.3.1"}]}, {"vendor": "ZcashFoundation", "product": "zebra-consensus", "versions": [{"status": "affected", "version": "< 5.0.2"}]}], "references": [{"url": "https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-xvj8-ph7x-65gf", "name": "https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-xvj8-ph7x-65gf", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.3.1 and zebra-consensus version 5.0.2, a logic error in Zebra's transaction verification cache could allow a malicious miner to induce a consensus split. By carefully submitting a transaction that is valid for height H+1 but invalid for H+2 and then mining that transaction in a block at height H+2, a miner could cause vulnerable Zebra nodes to accept an invalid block, leading to a consensus split from the rest of the Zcash network. This vulnerability is fixed in zebrad version 4.3.1 and zebra-consensus version 5.0.2."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1025", "description": "CWE-1025: Comparison Using Wrong Factors"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T19:18:22.657Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40880", "state": "PUBLISHED", "dateUpdated": "2026-04-21T19:52:58.880Z", "dateReserved": "2026-04-15T15:57:41.719Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-21T19:18:22.657Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.3.1 and zebra-consensus version 5.0.2, a logic error in Zebra's transaction verification cache could allow a malicious miner to induce a consensus split. By carefully submitting a transaction that is valid for height H+1 but invalid for H+2 and then mining that transaction in a block at height H+2, a miner could cause vulnerable Zebra nodes to accept an invalid block, leading to a consensus split from the rest of the Zcash network. This vulnerability is fixed in zebrad version 4.3.1 and zebra-consensus version 5.0.2."}], "id": "CVE-2026-40880", "lastModified": "2026-04-21T20:17:01.687", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-21T20:17:01.687", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-xvj8-ph7x-65gf"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1025"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T05:30:56.769332+00:00", "value": {"mitigation_remediation": ["Upgrade zebrad to version 4.3.1 or later", "Upgrade zebra\u2011consensus to version 5.0.2 or later", "Restart all Zebra nodes after the upgrade to enforce the updated consensus rules"], "summary": {"action": "Patch immediately", "impact": "Consensus split and potential invalid block acceptance"}, "threat_synthesis": {"affected_systems": "Zebra nodes built from the ZcashFoundation\u2019s zebrad code base before version 4.3.1 and the zebra-consensus library before version 5.0.2 are vulnerable. These include ZcashFoundation:zebra-consensus and ZcashFoundation:zebrad products. Nodes running newer releases are not affected.", "description_and_impact": "The vulnerability arises from a logic error in Zebra\u2019s transaction verification cache. A malicious miner can craft a transaction that passes verification at a given height but fails once the block is confirmed. If such a transaction is included in a block that reaches the accepted height, Zebra nodes may accept an invalid block. This leads to a consensus split, allowing the faulty block to propagate in a subset of nodes while the rest of the network follows the correct chain. The weakness corresponds to CWE-1025, representing a logic or algorithmic flaw.", "risk_and_exploitability": "The CVSS score of 7.2 indicates medium to high severity. No EPSS score is populated, so current exploit probability is unknown, but the vulnerability requires a miner capable of submitting blocks on the network. It permits a malicious actor to induce a split in the blockchain, potentially creating a temporary fork until the issue is resolved. The fault is not listed in the CISA KEV catalog, and no publicly disclosed exploits have been reported. Because the condition to trigger the bug depends on transaction submission and mining, an attacker would need direct mining or controlling a mining pool. Nevertheless, the potential impact on consensus integrity makes it a significant risk for operators of full nodes."}}}}, "created": "2026-04-22T05:45:09.818210+00:00", "updated": "2026-04-22T05:45:09.818221+00:00", "vendors": []}