CVE-2026-41584: Zebra has rk Identity Point Panic in Transaction Verification

April 18, 2026 (updated April 27, 2026)

Orchard transactions contain a rk field which is a randomized validating key and also an elliptic curve point. The Zcash specification allows the field to be the identity (a “zero” value), however, the orchard crate which is used to verify Orchard proofs would panic when fed a rk with the identity value. Thus an attacker could send a crafted transaction that would make a Zebra node crash.

References

github.com/ZcashFoundation/zebra
github.com/ZcashFoundation/zebra/security/advisories/GHSA-452v-w3gx-72wg
github.com/advisories/GHSA-452v-w3gx-72wg
nvd.nist.gov/vuln/detail/CVE-2026-41584

Code Behaviors & Features

Detect and mitigate CVE-2026-41584 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →