CVE-2026-54496 in Zebra
Summary
by MITRE • 07/17/2026
ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad 5.0.0, halo2_gadgets 0.5.0, orchard 0.14.0, zcash_primitives 0.28.0, and zcashd 6.20.0, the variable-base scalar multiplication gadget in halo2_gadgets/src/ecc/chip/mul/incomplete.rs used assign_advice() for the base point without a copy constraint tying it to the actual base, allowing a malicious prover to produce a valid proof for an Orchard Action with an under-constrained base point and bypass the diversified-address-integrity check that binds pk_d, g_d, ivk, the nullifier (nf), and the spend validating key (ak) to the note being spent. This issue is fixed in zebrad 5.0.0, halo2_gadgets 0.5.0, orchard 0.14.0, zcash_primitives 0.28.0, and zcashd 6.20.0.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 07/17/2026
The vulnerability described represents a critical flaw in the Zcash ecosystem's cryptographic verification processes, specifically within the halo2_gadgets library that serves as a foundational component for Orchard protocol implementations. This issue affects multiple core Zcash components including zebrad node software, halo2_gadgets cryptographic gadgets, orchard protocol libraries, zcash_primitives utilities, and zcashd daemon versions prior to their respective security patches. The flaw resides in the variable-base scalar multiplication gadget implementation within the file halo2_gadgets/src/ecc/chip/mul/incomplete.rs, where improper constraint handling creates a pathway for malicious actors to manipulate cryptographic proofs without detection.
The technical root cause involves the misuse of assign_advice() function during base point assignment in the elliptic curve scalar multiplication operations. This function call fails to establish proper copy constraints that would normally bind the assigned base point to its actual cryptographic value within the proof system. Without these essential constraints, a malicious prover can construct valid cryptographic proofs that appear legitimate while actually operating with under-constrained parameters. The vulnerability specifically targets the Orchard Action verification process where diversified-address-integrity checks should enforce cryptographic relationships between critical components including pk_d (diversified public key), g_d (diversified generator), ivk (incoming viewing key), nf (nullifier), and ak (spending validating key). These elements must maintain specific mathematical relationships to ensure the integrity of note spending operations.
The operational impact of this vulnerability is severe as it allows attackers to bypass fundamental security mechanisms designed to prevent unauthorized spending of Zcash notes. When an Orchard Action is processed with an under-constrained base point, the diversified-address-integrity check becomes ineffective, potentially enabling malicious actors to spend notes they should not have access to while maintaining the appearance of legitimate transactions. This creates a potential for financial loss and undermines the cryptographic security model that Zcash relies upon. The vulnerability affects the entire Zcash ecosystem since multiple core components depend on the same flawed implementation, making it particularly dangerous as it could potentially be exploited across different implementations and versions.
The fix implemented in versions 5.0.0 of zebrad, halo2_gadgets 0.5.0, orchard 0.14.0, zcash_primitives 0.28.0, and zcashd 6.20.0 addresses this by properly implementing copy constraints that ensure base points in scalar multiplication operations are correctly bound to their actual values within the cryptographic proof system. This remediation aligns with established security practices for zero-knowledge proof systems where all variables must be properly constrained to prevent malicious manipulation of cryptographic proofs. The vulnerability classification corresponds to CWE-254, representing a weakness in the security model that allows for under-constrained variables in cryptographic operations, and maps to ATT&CK technique T1583.001 related to the development of tools for exploitation.
This issue demonstrates the critical importance of proper constraint management in zero-knowledge proof systems where mathematical relationships must be rigorously enforced to maintain cryptographic security guarantees. The vulnerability highlights how seemingly minor implementation details in cryptographic libraries can have catastrophic effects on entire blockchain protocols. Organizations using Zcash implementations must urgently upgrade to patched versions to prevent exploitation and maintain the integrity of their cryptographic operations. The fix ensures that all base point assignments in scalar multiplication operations now properly enforce copy constraints, thereby restoring the intended security properties of the Orchard protocol's diversified address verification mechanisms.