Operation on a Resource after Expiration or Release Affecting zebrad package, versions <4.5.0


Severity

Recommended
0.0
high
0
10

CVSS assessment by Snyk's Security Team. Learn more

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-RUST-ZEBRAD-17808058
  • published3 Jul 2026
  • disclosed2 Jul 2026
  • creditUnknown

Introduced: 2 Jul 2026

NewCVE-2026-52733  (opens in a new tab)
CWE-459  (opens in a new tab)
CWE-672  (opens in a new tab)

How to fix?

Upgrade zebrad to version 4.5.0 or higher.

Overview

zebrad is a The Zcash Foundation's independent, consensus-compatible implementation of a Zcash node

Affected versions of this package are vulnerable to Operation on a Resource after Expiration or Release in the pop_tip process. An attacker can cause persistent corruption of subtree root data by triggering chain forks and subsequent block reverts, leading to incorrect wallet synchronization or wallet state for downstream consumers. This is only exploitable if the node participates in a network where chain forks occur and the default configuration is used.

Workaround

This vulnerability can be mitigated by periodically verifying subtree root consistency using z_getsubtreesbyindex against a known-good reference.

CVSS Base Scores

version 4.0
version 3.1