EXECUTIVE SUMMARY:
CVE-2026-54496 with a CVSS score of 9.3 is a soundness vulnerability affecting multiple Zcash-related Rust packages, including `zebrad` versions, `halo2_gadgets` versions prior to, `orchard` versions, and `zcash_primitives` versions before 0.28.0. This flaw stems from a missing copy constraint in the variable-base scalar multiplication gadget, which allows a malicious prover to utilize an under-constrained base point to bypass checks binding an Orchard Action to the correct incoming viewing key and nullifier. An attacker can exploit this vulnerability by manipulating private circuit inputs to generate valid cryptographic proofs, thereby enabling the double-spending of notes within the Orchard pool or the theft of funds via forged spend authorizations. The business impact is significant, as successful exploitation causes balance violations and financial loss that are undetectable on-chain due to zero-knowledge privacy features. While double-spending requires minimal prerequisites, stealing funds necessitates that the adversary knows the note plaintext, a condition often met if the linked incoming viewing key is compromised.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-54496 with a CVSS score of 9.3 is a soundness vulnerability affecting multiple Zcash-related Rust packages, including `zebrad` versions, `halo2_gadgets` versions prior to, `orchard` versions, and `zcash_primitives` versions before 0.28.0. This flaw stems from a missing copy constraint in the variable-base scalar multiplication gadget, which allows a malicious prover to utilize an under-constrained base point to bypass checks binding an Orchard Action to the correct incoming viewing key and nullifier. An attacker can exploit this vulnerability by manipulating private circuit inputs to generate valid cryptographic proofs, thereby enabling the double-spending of notes within the Orchard pool or the theft of funds via forged spend authorizations. The business impact is significant, as successful exploitation causes balance violations and financial loss that are undetectable on-chain due to zero-knowledge privacy features. While double-spending requires minimal prerequisites, stealing funds necessitates that the adversary knows the note plaintext, a condition often met if the linked incoming viewing key is compromised.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-ww9q-8r59-xv46