Improper Following of Specification by Caller Affecting zebrad package, versions <4.4.1
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-RUST-ZEBRAD-16624671
- published10 May 2026
- disclosed8 May 2026
- creditsangsoo-osec, fivelittleducks
Introduced: 8 May 2026
New CVE NOT AVAILABLE CWE-354 (opens in a new tab)How to fix?
Upgrade zebrad to version 4.4.1 or higher.
Overview
zebrad is a The Zcash Foundation's independent, consensus-compatible implementation of a Zcash node
Affected versions of this package are vulnerable to Improper Following of Specification by Caller through improper validation in the consensus verification process. An attacker can cause network partitioning and potential double-spend scenarios by crafting a transaction with more transparent inputs than outputs, signing an input with SIGHASH_SINGLE or SIGHASH_SINGLE|ANYONECANPAY where there is no corresponding output, and broadcasting it to the network. This leads affected nodes to accept transactions that other nodes reject, resulting in a consensus split.