Vulnerability Details CVE-2026-44498
ZEBRA is a Zcash node written entirely in Rust. Prior to version 4.4.0, Zebra's block validator undercounts transparent signature operations against the 20000-sigop block limit (MAX_BLOCK_SIGOPS), allowing it to accept blocks that zcashd rejects with bad-blk-sigops. A miner who produces such a block can split the network: Zebra nodes follow the offending chain while zcashd nodes do not. This issue has been patched in version 4.4.0.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 2.1%
CVSS Severity
CVSS v3 Score 7.5
References
Products affected by CVE-2026-44498
-
cpe:2.3:a:zfnd:zebrad:1.0.0
-
cpe:2.3:a:zfnd:zebrad:1.0.1
-
cpe:2.3:a:zfnd:zebrad:1.1.0
-
cpe:2.3:a:zfnd:zebrad:1.2.0
-
cpe:2.3:a:zfnd:zebrad:1.3.0
-
cpe:2.3:a:zfnd:zebrad:1.4.0
-
cpe:2.3:a:zfnd:zebrad:1.5.0
-
cpe:2.3:a:zfnd:zebrad:1.5.2
-
cpe:2.3:a:zfnd:zebrad:1.6.0
-
cpe:2.3:a:zfnd:zebrad:1.6.1
-
cpe:2.3:a:zfnd:zebrad:1.7.0
-
cpe:2.3:a:zfnd:zebrad:1.8.0
-
cpe:2.3:a:zfnd:zebrad:1.9.0
-
cpe:2.3:a:zfnd:zebrad:2.0.1
-
cpe:2.3:a:zfnd:zebrad:2.1.0
-
cpe:2.3:a:zfnd:zebrad:2.2.0
-
cpe:2.3:a:zfnd:zebrad:2.3.0
-
cpe:2.3:a:zfnd:zebrad:2.4.0
-
cpe:2.3:a:zfnd:zebrad:2.4.1
-
cpe:2.3:a:zfnd:zebrad:2.4.2
-
cpe:2.3:a:zfnd:zebrad:2.5.0
-
cpe:2.3:a:zfnd:zebrad:3.0.0
-
cpe:2.3:a:zfnd:zebrad:3.1.0
-
cpe:2.3:a:zfnd:zebrad:4.0.0
-
cpe:2.3:a:zfnd:zebrad:4.1.0
-
cpe:2.3:a:zfnd:zebrad:4.2.0
-
cpe:2.3:a:zfnd:zebrad:4.3.0
-
cpe:2.3:a:zfnd:zebrad:4.3.1