CVE-2019-11636 – CVE-2019-11636 is a denial-of-service vulnerabi... (How to Fix)

Q: What is the severity of CVE-2019-11636?

CVE-2019-11636 has a CVSS score of 7.5 (HIGH). CVE-2019-11636 is a denial-of-service vulnerability in Zcash cryptocurrency software that allows attackers to cheaply fill transaction blocks with spam, preventing legitimate transactions from being processed. This affects all Zcash users and network participants running vulnerable versions. The attack exploits the low cost of creating certain types of transactions in the Sapling protocol.

📋 TL;DR

CVE-2019-11636 is a denial-of-service vulnerability in Zcash cryptocurrency software that allows attackers to cheaply fill transaction blocks with spam, preventing legitimate transactions from being processed. This affects all Zcash users and network participants running vulnerable versions. The attack exploits the low cost of creating certain types of transactions in the Sapling protocol.

💻 Affected Systems

Products:

Zcash

Versions: 2.x versions before 2.0.7-1

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all Zcash nodes and users of the network; mining pools and exchanges are particularly impacted.

📦 What is this software?

Zcash by Z.cash

View all CVEs affecting Zcash →

Zcash by Z.cash

View all CVEs affecting Zcash →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete network paralysis where no legitimate transactions can be confirmed, effectively halting the Zcash blockchain and causing financial disruption.

🟠

Likely Case

Periodic transaction delays and increased fees as attackers intermittently spam the network, degrading performance and reliability.

🟢

If Mitigated

Minimal impact if patched quickly; temporary transaction delays if attack occurs before patching.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Attack demonstrated publicly via 'Sapling Wood-Chipper' tool; requires minimal resources to execute.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Zcash 2.0.7-1 and later

Vendor Advisory: https://github.com/zcash/zcash/issues/3955

Restart Required: Yes

Instructions:

1. Stop Zcash daemon. 2. Backup wallet.dat. 3. Download and install Zcash 2.0.7-1 or later from official source. 4. Restart Zcash daemon.

🔧 Temporary Workarounds

Transaction fee adjustment

all

Increase minimum transaction fees to make spam attacks more expensive

zcash-cli setminfee 0.0001

🧯 If You Can't Patch

Monitor network for spam transactions and temporarily increase transaction fees
Consider using alternative cryptocurrency networks until patching is possible

🔍 How to Verify

Check if Vulnerable:

Check Zcash version: zcash-cli --version

Check Version:

zcash-cli --version

Verify Fix Applied:

Verify version is 2.0.7-1 or higher and monitor for successful transaction processing

📡 Detection & Monitoring

Log Indicators:

High volume of low-value transactions
Transaction confirmation failures
Block fill rate approaching 100%

Network Indicators:

Unusual spike in transaction volume
Increased orphaned blocks
Network latency spikes

SIEM Query:

source="zcash.log" AND "mempool size" > 10000

📊 Metadata

CVE ID: CVE-2019-11636

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-254

Published: May 1, 2019

Last Updated: November 21, 2024

🔗 References

https://github.com/zcash/zcash/issues/3955 Third Party Advisory
https://saplingwoodchipper.github.io
https://twitter.com/dukeleto/status/1120467430118232066 Third Party Advisory
https://github.com/zcash/zcash/issues/3955 Third Party Advisory
https://saplingwoodchipper.github.io
https://twitter.com/dukeleto/status/1120467430118232066 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-11636, you might also want to check these: