GHSA-cwfq-rfcr-8hmp: Zebra's Transparent SIGHASH_SINGLE Handling Diverges from zcashd for Corresponding Outputs

May 7, 2026

For V5+ transparent spends, Zebra and zcashd disagree on the same consensus rule: SIGHASH_SINGLE must fail when the input index has no corresponding output. zcashd treats this as consensus-invalid under ZIP-244, while Zebra’s transparent verification path computes a digest for the missing-output case instead of failing.

The result is a direct block-validity split. A malformed V5 transparent transaction can be accepted by Zebra, retained in Zebra’s mempool, selected into Zebra getblocktemplate, mined into a block, and then rejected by zcashd.

References

github.com/ZcashFoundation/zebra
github.com/ZcashFoundation/zebra/releases/tag/v4.4.0
github.com/ZcashFoundation/zebra/security/advisories/GHSA-cwfq-rfcr-8hmp
github.com/advisories/GHSA-cwfq-rfcr-8hmp

Code Behaviors & Features

Detect and mitigate GHSA-cwfq-rfcr-8hmp with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →