Zcash Patches Four Critical Vulnerabilities Across Both Full-Node Implementations

The post Zcash Patches Four Critical Vulnerabilities Across Both Full-Node Implementations appeared on BitcoinEthereumNews.com.

TLDR: Security researcher Alex “Scalar” Sol reported four Zcash vulnerabilities on April 4, 2026, via coordinated disclosure channels. A crafted Orchard transaction with an all-zeros randomized key could crash any reachable zcashd or Zebra node instantly. A turnstile accounting bug introduced in zcashd v5.10.0 could be triggered by routine peer-to-peer duplicate block headers. Mining pools ViaBTC, Luxor, F2Pool, AntPool, and Foundry all deployed patches before the public release on April 17, 2026. Zcash vulnerabilities have been patched across two full-node implementations following a coordinated security disclosure. On April 17, 2026, Zcash Open Development Lab released zcashd v6.12.1, while the Zcash Foundation released Zebra v4.3.1. Security researcher Alex “Scalar” Sol reported the issues on April 4, 2026. Four vulnerabilities were addressed, covering a node crash bug, a consensus enforcement gap, and a turnstile accounting bypass. No user funds were compromised, and no ZEC supply inflation occurred at any point. Four Bugs Identified Across Both Zcash Full-Node Clients The most directly exploitable bug was an Orchard transaction crash present in both zcashd and Zebra. A crafted transaction with an all-zeros randomized key encoding could immediately crash any node processing it. Repeated broadcasting of such a transaction could effectively prevent nodes from participating in the network. No transactions triggering this condition were found on the Zcash mainnet before the patch. A related enforcement gap also existed between the two implementations. Zebra already enforced a protocol requirement on ephemeral public keys within Orchard actions, but zcashd did not. This meant a crafted transaction could be accepted by zcashd while being rejected by Zebra. Such a transaction could have forced a visible chain fork between nodes running different clients. A separate bug in zcashd, introduced with v5.10.0 in August 2024, could disable turnstile accounting under certain conditions. Receiving a duplicate block header from a peer…

Leave a Reply

Your email address will not be published. Required fields are marked *

Filed under: News - @ April 19, 2026 1:16 am