Zebra 4.3.1 Security Upgrade Fixes Consensus Bugs

Zebra 4.3.1 is released with critical security fixes and CI hardening. The core message is clear: all Zebra node operators should upgrade to Zebra 4.3.1 immediately because of a consensus-split vulnerability. Key issues fixed in Zebra 4.3.1 include: - CVE-2026-40880: Transaction verification cache flaw. A logic error could let a malicious miner trigger a consensus split. Zebra removes the risky optimization and always re-verifies transactions against the current block height. - CVE-2026-40881: addr/addrv2 deserialization resource exhaustion. Zebra could allocate memory for up to 233,000 entries before enforcing the 1,000 limit, enabling out-of-memory via repeated oversized messages. The fix caps allocations to 1,000 before deserialization. - Consensus divergence in sighash hash-type handling: V5 hash-type validation was dropped during refactoring, allowing Zebra to accept transactions zcashd rejects. A related V4 mismatch also existed due to different preimage semantics. Fixes align behavior with zcashd; included in zcash_script 0.4.4 and zcash_transparent 0.6.4. - rk identity point panic: Orchard transactions could crash nodes if rk used the identity value. The fix disallows identity rk at parsing time. - DoS via interrupted authenticated JSON-RPC: Truncated HTTP request bodies could crash nodes. The fix returns normal error responses instead. Non-security updates add a Dockerized mining setup and automate checkpoint/end-of-support height tracking in CI. CI now includes advisory checks, license scanning, and cargo-vet auditing per pull request. Notable contributors cited include Alex “Scalar” Sol, sangsoo-osec, and Zk-nd3r. Zebra 4.3.1 should be considered the safest path to avoid chain divergence—upgrading is the only known workaround.