CVE-2026-44498

High

Published: 08 May 2026

Published

08 May 2026

Modified

08 May 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS Score 0.0003 8.8th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-44498 is a high-severity Incorrect Calculation (CWE-682) vulnerability in Zfnd Zebrad. Its CVSS base score is 7.5 (High).

Operationally, ranked at the 8.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

NVD Description

ZEBRA is a Zcash node written entirely in Rust. Prior to version 4.4.0, Zebra's block validator undercounts transparent signature operations against the 20000-sigop block limit (MAX_BLOCK_SIGOPS), allowing it to accept blocks that zcashd rejects with bad-blk-sigops. A miner who produces…

such a block can split the network: Zebra nodes follow the offending chain while zcashd nodes do not. This issue has been patched in version 4.4.0.

Deeper analysisAI

Automated synthesis unavailable for this CVE.

Details

CWE(s): CWE-682

Affected Products

zfnd

zebrad

≤ 4.4.0

CVEs Like This One

CVE-2026-40880Same product: Zfnd Zebrad

CVE-2026-41584Same product: Zfnd Zebrad

CVE-2026-41583Same product: Zfnd Zebrad

CVE-2026-40881Same product: Zfnd Zebrad

CVE-2026-44497Same product: Zfnd Zebrad

CVE-2026-34377Same vendor: Zfnd

CVE-2026-34202Same vendor: Zfnd

CVE-2026-1229Shared CWE-682

CVE-2026-24783Shared CWE-682

CVE-2025-26622Shared CWE-682

References

https://github.com/ZcashFoundation/zebra/releases/tag/v4.4.0
Release Notes · security-advisories@github.com
https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-jv4h-j224-23cc
Vendor Advisory · security-advisories@github.com