CVE-2026-35679 PUBLISHED

Assigner: mitre
Reserved: 05.04.2026 Published: 05.04.2026 Updated: 06.04.2026

Zcash zcashd before 6.12.0 allows invalid transactions to be accepted under certain conditions, which potentially could have resulted in the draining of user funds from the Sprout pool. It was sometimes not verifying Sprout proofs.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N
CVSS Score: 3.5

Attack Vector	Network	Scope	Changed
Attack Complexity	High	Confidentiality Impact	None
Privileges Required	Low	Integrity Impact	Low
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	Zcash
Product	zcashd
Versions	Default: unaffected affected from 0 to 6.12.0 (excl.)

References

https://github.com/zcash/zcash/releases/tag/v6.12.0
https://github.com/zcash/zcash/commit/db969c63f48f0f9fc518112ed0b7ace1af78b9d0

Problem Types

CWE-358 Improperly Implemented Security Check for Standard CWE