CVE-2026-41583/CVE-2026-41584 - Zebra consensus split and rk panic

rg -n "zebrad|zebra-script|zebra-chain|ZcashFoundation/zebra|zcash|orchard|sighash|Cargo\\.lock|cargo" .
cargo tree -i zebrad
cargo tree -i zebra-script
cargo tree -i zebra-chain
rg -n "zebrad|zebra|zcash|ZCASH|mainnet|testnet|regtest" Dockerfile* docker-compose*.yml charts deploy k8s helm systemd .github .

Model context: this prompt was generated by GPT 5.5 Extra High reasoning.

You are remediating CVE-2026-41583 and CVE-2026-41584 in Zebra/Zcash node
deployments and Zebra Rust library consumers. Produce exactly one output:

- A reviewer-ready PR/change request that upgrades Zebra, proves affected
  runtimes and libraries resolve to fixed versions, adds rollout-safe
  verification, and documents operator actions, or
- TRIAGE.md if this repository does not own an affected Zebra runtime/library
  or cannot make a safe change.

## Rules

- Scope only CVE-2026-41583, CVE-2026-41584,
  GHSA-8m29-fpq5-89jj, and GHSA-452v-w3gx-72wg.
- Do not generate invalid Zcash transactions, crafted `rk` values, forked-chain
  payloads, consensus-split test cases, or crash payloads against production,
  staging, shared dev, public testnet, or shared mining infrastructure.
- Do not delete chain state, resync nodes, rotate wallets, alter mining
  policy, or change peer allowlists unless the repository already owns those
  runbook actions and the PR makes the operator impact explicit.
- Do not rely on network isolation as a substitute for upgrading a node that
  can process untrusted transactions or blocks.
- Do not auto-merge.

## Steps

1. Inventory every Zebra/Zcash asset controlled by this repository:
   Cargo manifests, Cargo.lock files, vendored crates, Dockerfiles, base
   images, compose files, Helm charts, Kubernetes manifests, Terraform,
   Ansible, systemd units, CI images, SBOMs, release manifests, runbooks,
   node configuration, and runtime version probes.
2. Determine every resolved version:
   - `zebrad` is vulnerable if it resolves below `4.3.1`;
   - `zebra-script` is vulnerable if it resolves below `5.0.1`;
   - `zebra-chain` is vulnerable if it resolves below `6.0.2`.
3. Determine exposure without exploit testing:
   - Is `zebrad` connected to public, partner, mining, testnet, or regtest
     peers that can supply untrusted transactions or blocks?
   - Does the service use Zebra libraries for transaction, block, mempool,
     wallet, indexer, or chain-observation decisions?
   - Are node health, block acceptance, or mining decisions consumed by other
     production systems?
4. If this repository does not own an affected runtime or library consumer,
   stop with `TRIAGE.md` listing files checked, resolved versions, suspected
   owner, and the exact upgrade requested.
5. Upgrade controlled nodes and libraries:
   - move `zebrad` to `4.3.1+`;
   - move `zebra-script` to `5.0.1+`;
   - move `zebra-chain` to `6.0.2+`;
   - update image tags to fixed immutable digests where possible;
   - regenerate Cargo locks, vendor metadata, SBOMs, image metadata, and
     rendered deployment manifests.
6. Add a dependency guard or deployment policy check that rejects the vulnerable
   Zebra versions in future builds. Keep it narrow to Zebra/Zcash artifacts.
7. Add safe verification that does not exercise the vulnerability:
   - dependency-resolution assertions for the fixed crate versions;
   - image or binary version checks such as `zebrad --version` where available;
   - deployment render tests proving fixed image tags or digests are used;
   - runbook checks for patched node startup, peer health, chain height, best
     block hash, and crash-loop status after rollout.
8. Add temporary rollout containment when deployment is not atomic:
   - remove vulnerable nodes from load-bearing consensus/mining/indexing roles;
   - prefer patched peers for validation during the rollout;
   - flag downstream services that consume Zebra consensus signals as degraded
     until patched nodes are healthy;
   - document any operator-approved resync or state-rebuild requirement.
9. Add a PR body section named `Zebra CVE operator actions` that states:
   - every Zebra binary, crate, image, and deployment target before and after
     the change;
   - whether affected nodes were public-peer, partner-peer, mining, indexer,
     wallet, testnet, or internal-only;
   - whether any downstream service consumes Zebra consensus or chain-state
     output;
   - expected restart, drain, resync, peer-health, and chain-tip verification
     steps;
   - logs to inspect for consensus mismatch, invalid transaction handling,
     Orchard verification panic, or crash loops;
   - any temporary degraded mode that remains after the PR.
10. Run relevant validation: Cargo resolution, unit tests, dependency/security
    scan, SBOM refresh, image build, deployment render, policy checks, and
    safe node startup/version checks available in this repository.
11. Use PR title:
    `fix(sec): remediate Zebra CVE-2026-41583 and CVE-2026-41584`.

## Stop conditions

- No affected Zebra node, crate, image, or deployment target is controlled by
  this repository.
- A fixed Zebra release cannot be consumed without a broader chain-node or
  protocol migration.
- The only available verification would require crafting invalid transactions,
  inducing a consensus split, or crashing a node.
- The change would delete chain state, alter mining behavior, or trigger a
  resync without operator approval.
- Validation fails for unrelated pre-existing reasons; document those failures
  instead of broadening scope.