PatchSiren cyber security CVE debrief
CVE-2026-35679 Zcash CVE debrief
A vulnerability in Zcash zcashd versions prior to 6.12.0 allowed invalid transactions to be accepted under certain conditions, potentially enabling the draining of user funds from the Sprout pool. The root cause was incomplete verification of Sprout proofs in specific scenarios. The issue was resolved in version 6.12.0. The CVSS 3.1 score of 3.5 (Low severity) reflects the attack complexity requirements and limited impact scope. The vulnerability was published on April 5, 2026, with the record last modified on May 19, 2026.
- Vendor
- Zcash
- Product
- zcashd
- CVSS
- LOW 3.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-04-05
- Original CVE updated
- 2026-05-19
- Advisory published
- 2026-04-05
- Advisory updated
- 2026-05-19
Who should care
Zcash node operators, cryptocurrency exchanges supporting ZEC, wallet providers integrating zcashd, and users with funds in the Sprout shielded pool should prioritize this update.
Technical summary
The vulnerability exists in the Sprout shielded pool implementation of zcashd, where proof verification was not consistently enforced. This cryptographic weakness (CWE-358: Improperly Implemented Security Check for Standard) could allow crafted invalid transactions to bypass validation. The attack requires network access and low privileges, with high attack complexity. The fix in version 6.12.0 ensures proper Sprout proof verification under all conditions.
Defensive priority
medium
Recommended defensive actions
- Upgrade zcashd to version 6.12.0 or later to ensure proper verification of Sprout proofs.
- Review transaction logs for the Sprout pool for any anomalous activity during the exposure window if running affected versions.
- Monitor Zcash security advisories for any additional guidance on this vulnerability.
Evidence notes
The CVE description and NVD record confirm the affected versions and fix version. The GitHub commit and release tag provide technical confirmation of the remediation.
Official resources
The vulnerability was disclosed through official CVE channels with a fix available in zcashd 6.12.0. No known exploitation in the wild has been reported.