CVE-2026-44497

描述

# CVE-2026-44497: Consensus Divergence in Transparent Sighash Hash-Type Handling due to Stale Buffer ## Summary The fix for https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-8m29-fpq5-89jj introduced a separate issue due to insuficient error handling of the case where the sighash type is invalid, during sighash computation. Instead of returning an error, the normal flow would resume, and the input sighash buffer would be left untouched. In scenarios where a previous signature validation could leave a valid sighash in the buffer, an invalid hash-type could be incorrectly accepted, which would create a consensus split between Zebra and zcashd nodes. ## Severity **Critical** - This is a Consensus Vulnerability that could allow a malicious party to induce network partitioning, service disruption, and potential double-spend attacks against affected nodes. Note that the impact is currently alleviated by the fact that currently most miners run `zcashd`. ## Affected Versions Zebra 4.3.1. ## Description Verification of transparent transactions inherits the Bitcoin Script verification code in C++, called from Zebra through a foreign function interface (FFI) with a Rust callback that computes the sighash. The fix for https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-8m29-fpq5-89jj added the missing V5 hash-type consensus check on the Rust side, returning `None` for undefined hash types. However, the FFI bridge only writes to the C++ sighash buffer when the callback returns `Some`, and the C++ checker reads that buffer unconditionally, so the failure signal is lost. An attacker could exploit this by: - Constructing a transparent output spent by a script that runs a valid `OP_CHECKSIGVERIFY` immediately before an `OP_CHECKSIG` with an undefined hash type. - The first opcode primes the C++ sighash buffer with a valid digest; the second causes Zebra's callback to return `None` while the C++ checker verifies the invalid signature against the stale digest. - Zebra accepts the spend, zcashd rejects it, creating a consensus split in the network. ## Impact **Consensus Failure** - **Attack Vector:** Network. - **Effect:** Network partition/consensus split. - **Scope:** Any affected Zebra node, and any miner or template pipeline that relies on Zebra's validation result. ## Fixed Versions This issue is fixed in 4.4.0. The fixes uses a workaround where the input buffer is filled with random bytes on validation failure, which makes signature validation fail (as expected) with overwhelming probability. This avoids a breaking release of the `zcash_script` crate. A future release will propagate the error correctly for a direct fix. ## Mitigation Users should upgrade to 4.4.0 or later immediately. There are no known workarounds for this issue. Immediate upgrade is the only way to ensure the node remains on the correct consensus path and is protected against malicious chain forks. ## Credits Zebra thanks @sangsoo-osec for finding and reporting the issue.

受影響套件(2)

• crates.io/zebradfrom 0, < 4.4.0
• crates.io/zebra-scriptfrom 0, < 6.0.0

CVSS 分數

參考連結(4)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-44497
• PATCHhttps://github.com/ZcashFoundation/zebra
• WEBhttps://github.com/ZcashFoundation/zebra/releases/tag/v4.4.0
• WEBhttps://github.com/ZcashFoundation/zebra/security/advisories/GHSA-gq4h-3grw-2rhv