Advisory Database
  • Advisories
  • Dependency Scanning
  1. cargo
  2. ›
  3. zebra-state
  4. ›
  5. CVE-2026-52738

CVE-2026-52738: Zebra: Finalized address balance credit-first overflow on consensus-valid blocks

July 2, 2026

The finalized transparent address balance writer processes all newly-created outputs (credits) before processing spent outputs (debits) within the same block. A consensus-valid block containing a long chain of same-address transparent self-spends can cause the intermediate per-address balance during the credit pass to exceed MAX_MONEY, triggering a panic in the finalized state writer.

Because the triggering block is consensus-valid (zcashd accepts it), the panic recurs on restart when the node re-encounters the same block. This creates a persistent chain halt that can only be resolved by a software patch.

References

  • github.com/ZcashFoundation/zebra/security/advisories/GHSA-w834-cf6p-9m9w
  • github.com/advisories/GHSA-w834-cf6p-9m9w
  • nvd.nist.gov/vuln/detail/CVE-2026-52738

Code Behaviors & Features

Detect and mitigate CVE-2026-52738 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →

Affected versions

All versions before 7.0.0

Fixed versions

  • 7.0.0

Solution

Upgrade to version 7.0.0 or above.

Impact 5.3 MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Learn more about CVSS

Weakness

  • CWE-248: Uncaught Exception

Source file

cargo/zebra-state/CVE-2026-52738.yml

Spotted a mistake? Edit the file on GitLab.

  • Site Repo
  • About GitLab
  • Terms
  • Privacy Statement
  • Contact

Page generated Fri, 03 Jul 2026 12:18:27 +0000.