CVE-2026-52739: Zebra: Repeated Non-Finalized Shielded Transaction Aborts Zebra Before Duplicate-Nullifier Rejection
Chain::push in the non-finalized state updates the transaction-location index (tx_loc_by_hash) before it runs the duplicate shielded-nullifier guard. When an invalid child block repeats a shielded transaction from its non-finalized parent, the assert_eq!(prior_pair, None, "transactions must be unique within a single chain") fires before the contextual validation that would cleanly reject the duplicate. Under Zebra’s panic = "abort" release profile, this terminates the entire node process.
The block should be rejected with a duplicate-nullifier contextual validation error. Instead, the ordering of index updates within Chain::push causes the process to abort.
References
- github.com/ZcashFoundation/zebra/blob/d4cd662c716382f6397d2a730148025a1ca79fec/Cargo.toml
- github.com/ZcashFoundation/zebra/blob/d4cd662c716382f6397d2a730148025a1ca79fec/zebra-consensus/src/transaction.rs
- github.com/ZcashFoundation/zebra/blob/d4cd662c716382f6397d2a730148025a1ca79fec/zebra-state/src/service/non_finalized_state/chain.rs
- github.com/ZcashFoundation/zebra/security/advisories/GHSA-hhm7-qrv5-h4r6
- github.com/advisories/GHSA-hhm7-qrv5-h4r6
- nvd.nist.gov/vuln/detail/CVE-2026-52739
Code Behaviors & Features
Detect and mitigate CVE-2026-52739 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →