Zebra 4.3.1 - 2026-04-17
This release fixes four important security issues:
- CVE-2026-40880: Cached Mempool Verification Bypasses Consensus Rules for Ahead-of-Tip Blocks
- CVE-2026-XXXXX: Consensus Divergence in Transparent Sighash Hash-Type Handling
- CVE-2026-XXXXX: rk Identity Point Panic in Transaction Verification
- CVE-2026-40881: addr/addrv2 Deserialization Resource Exhaustion
We recommend node operators to update to 4.3.1 as soon as possible. All previous
Zebra versions are vulnerable to these issues.
Added
- Dockerized mining setup (#10301)
Fixed
- Fixed a panic that could be triggered in the RPC interface on HTTP
errors,
such as resetting the connection halfway through a request. We do not consider
this a critical issue since the RPC port is security-sensitive and should not
be opened publicly, but we plan to update our documentation to make this
clear.
Changed
- The Dockerfile and docker-compose.yml were changed to expose the P2P port by
default. This is important for the network since it allows other peers to
connect to the node. Note that if you deploy Zebra behind a firewall or NAT
you might require additional configuration
(#10464).
Contributors
Thank you to everyone who contributed to this release, we couldn't make Zebra without you:
@arya2, @conradoplg, @dependabot[bot], @gustavovalverde, @mpguerra, @oxarbitrage and @upbqdn