A vulnerability in Zebra's transaction processing logic allows a remote, unauthenticated attacker to cause a Zebra node to panic (crash). This is triggered by sending a specially crafted V5 transaction that passes initial deserialization but fails during transaction ID calculation.
Critical - This is a Remote Denial of Service (DoS) that requires no authentication and can be triggered by a single network message.
All Zebra versions supporting V5 transactions (Network Upgrade 5 and later) prior to version 4.3.0.
The vulnerability stems from Zebra lazily validating transaction fields that are eagerly validated in the librustzcash parsing logic used when Zebra computes transaction ids and auth digests for V5 transactions where Zebra panics if those computations fail.
PushTransaction messages with malformed V5 transactions are successfully deserialized as the zebra-chain Transaction type by the network codec, but when Zebra converts those transactions into internal types to compute the TxID expecting it to succeed, it triggers a panic/crash.
An attacker can trigger this crash by sending a single crafted tx message to a Zebra node's public P2P port. The same issue can be triggered via the sendrawtransaction RPC method.
Remote Denial of Service
This issue is fixed in Zebra 4.3.0.
The fix ensures that any transaction that would fail TxID calculation is rejected during the initial deserialization phase, and replaces internal panics with graceful error handling.
Users should upgrade to Zebra 4.3.0 or later immediately.
If an immediate upgrade is not possible, users should ensure their...
6.0.14.3.0Exploitability
AV:NAC:LAT:NPR:NUI:NVulnerable System
VC:NVI:NVA:HSubsequent System
SC:NSI:NSA:H9.2/CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H