Zcash Zebra Remote Denial-of-Service Vulnerability via Crafted V5 Transactions

A remote denial-of-service vulnerability has been identified in Zcash Zebra nodes, specifically in versions prior to 4.3.0 for zebrad and prior to 6.0.1 for zebra-chain. The issue arises in the transaction processing logic, where a remote, unauthenticated attacker can cause a Zebra node to crash. This is achieved by sending a specially crafted V5 transaction that successfully passes initial deserialization but fails during the calculation of the transaction ID, leading to a panic and crash of the node.

Impact

Exploitation of this vulnerability causes an immediate crash of the affected Zebra node.

Reproduction

The vulnerability can be reproduced by sending a malformed V5 transaction through the network to a Zebra node's public P2P port or via the `sendrawtransaction` RPC method. The transaction will be deserialized without issue, but will cause the node to panic and crash when the transaction ID is calculated.

Remediation

Users are advised to upgrade to Zebra version 4.3.0 or later. If an immediate upgrade is not possible, ensure that the RPC port is not exposed to the Internet. The P2P port should remain closed or restricted to trusted peers to fully mitigate the risk.