GHSA-hhm7-qrv5-h4r6: Zebra: Repeated Non-Finalized Shielded Transaction Aborts Zebra Before Duplicate-Nullifier Rejection
Am I affected
You are affected if:
1. You run zebrad up to and including v4.4.1.
2. Your node processes blocks past the checkpoint height (non-finalized state is active).
3. The network has NU5 or later activated.
All default configurations are affected.
Summary
Chain::push in the non-finalized state updates the transaction-location index (tx_loc_by_hash) before it runs the duplicate shielded-nullifier guard. When an invalid child block repeats a shielded transaction from its non-finalized parent, the assert_eq!(prior_pair, None, "transactions must be unique within a single chain") fires before the contextual validation that would cleanly reject the duplicate. Under Zebra's panic = "abort" release profile, this terminates the entire node process.
The block should be rejected with a duplicate-nullifier contextual validation error. Instead, the ordering of index updates within Chain::push causes the process to abort.
Details
In zebra-state/src/service/non_finalized_state/chain.rs:1608-1628, the block push sequence is:
1. Insert transaction hash into tx_loc_by_hash with assert_eq! on uniqueness
2. Update transparent outputs and inputs
3. Update shielded data (JoinSplit, Sapling, Orchard) — including nullifier uniqueness checks
The shielded nullifier uniqueness check at step 3 would correctly reject the duplicate transaction. But the assert_eq! at step 1 fires first because the transaction hash is already in tx_loc_by_hash from the parent block on the same chain.
The block transaction verifier does not run the best-chain nullifier query for block transactions — that check is gated on mempool transactions only (zebra-consensus/src/transaction.rs:521-526). Initial contextual validation checks nullifiers in finalized state only (zebra-state/src/service/check.rs:407-415), but the parent transaction is still in non-finalized state.
There are two attack models:
Model A (two attacker blocks): The attacker mines two conse
Details
Original advisory: https://github.com/advisories/GHSA-hhm7-qrv5-h4r6
Referenced CVEs
| CVE | CSIRTS overview | External |
|---|---|---|
| CVE-2026-52739 | coverage & exploitation status | NVD · CVE.org |
More from GitHub Security Advisories
- criticalGHSA-g936-7jqj-mwv8: TSDProxy: Internal proxy auth token forwarded to backend services enables management API …2026-07-10
- highGHSA-fpg8-7664-jc5q: melange: Incomplete package integrity verification allows data section substitution2026-07-10
- mediumGHSA-48rx-c7pg-q66r: Excon does not redact additional sensitive/risky headers when following redirects2026-07-10
- highGHSA-h4g2-xfmw-q2c9: Clauster: Non-loopback deployments can serve the dashboard unauthenticated when auth.enab…2026-07-10
- mediumGHSA-rqq5-2gf9-4w4q: Secure Headers: CSP directive injection via sandbox, plugin_types, and report_to when giv…2026-07-10