{"id":"CVE-2019-16930","details":"Zcashd in Zcash before 2.0.7-3 allows discovery of the IP address of a full node that owns a shielded address, related to mishandling of exceptions during deserialization of note plaintexts. This affects anyone who has disclosed their zaddr to a third party.","modified":"2026-04-11T12:42:30.774172Z","published":"2019-09-28T22:15:09.857Z","references":[{"type":"ADVISORY","url":"http://duke.leto.net/2019/10/01/zcash-metadata-leakage-cve-2019-16930.html"},{"type":"ADVISORY","url":"https://github.com/zcash/zcash/releases/tag/v2.0.7-3"},{"type":"ADVISORY","url":"https://z.cash/support/security/announcements/security-announcement-2019-09-24/"},{"type":"FIX","url":"https://github.com/zcash/zcash/commit/c1fbf8ab5d73cff5e1f45236995857c75ba4128d"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/zcash/zcash","events":[{"introduced":"0"},{"fixed":"e3983afc03d256813662aa2cb07fbe1a05b9ab05"},{"fixed":"c1fbf8ab5d73cff5e1f45236995857c75ba4128d"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"2.0.7-3"}]}}],"versions":["bitcoin-v0.11.2","v0.11.2.z0","v0.11.2.z1","v0.11.2.z2","v0.11.2.z3","v0.11.2.z4","v0.11.2.z5","v0.11.2.z6","v0.11.2.z7","v0.11.2.z8","v0.11.2.z9","v0.9.0rc2","v1.0.0","v1.0.0-beta1","v1.0.0-beta2","v1.0.0-rc1","v1.0.0-rc2","v1.0.0-rc3","v1.0.0-rc4","v1.0.1","v1.0.10","v1.0.10-1","v1.0.11","v1.0.11-rc1","v1.0.12","v1.0.12-rc1","v1.0.13","v1.0.13-rc1","v1.0.13-rc2","v1.0.14","v1.0.14-rc1","v1.0.15","v1.0.15-rc1","v1.0.2","v1.0.3","v1.0.4","v1.0.5","v1.0.6","v1.0.7-1","v1.0.8","v1.0.8-1","v1.0.9","v1.1.0","v1.1.0-rc1","v1.1.1","v1.1.1-rc1","v1.1.1-rc2","v1.1.2","v1.1.2-rc1","v2.0.0","v2.0.0-rc1","v2.0.1","v2.0.1-rc1","v2.0.2","v2.0.2-rc1","v2.0.3","v2.0.3-rc1","v2.0.4","v2.0.4-rc1","v2.0.5","v2.0.5-1","v2.0.5-2","v2.0.5-rc1","v2.0.6","v2.0.6-rc1","v2.0.7","v2.0.7-2","v2.0.7-rc1","zc.v0.11.2.z0"],"database_specific":{"vanir_signatures":[{"deprecated":false,"digest":{"length":671,"function_hash":"81082098138449732548134005623726196796"},"id":"CVE-2019-16930-22ef2bea","target":{"function":"SaplingNotePlaintext::decrypt","file":"src/zcash/Note.cpp"},"source":"https://github.com/zcash/zcash/commit/c1fbf8ab5d73cff5e1f45236995857c75ba4128d","signature_version":"v1","signature_type":"Function"},{"deprecated":false,"digest":{"length":585,"function_hash":"226413415805767596118391592283434920717"},"id":"CVE-2019-16930-55fb5273","target":{"function":"SaplingNotePlaintext::decrypt","file":"src/zcash/Note.cpp"},"source":"https://github.com/zcash/zcash/commit/c1fbf8ab5d73cff5e1f45236995857c75ba4128d","signature_version":"v1","signature_type":"Function"},{"deprecated":false,"digest":{"line_hashes":["73458758040443046124580122407287945385","95342543725302552392462330207005166191","338569015563194776666709266388694578267","191487860421057871753813933270403390985","44238610660071775447404839794715411707","36486753304366101197268453869191804664","84626146118490708727224022320579326072","209792595390317872818817214044060373932","217331980017304715365438491509525232714","73458758040443046124580122407287945385","95342543725302552392462330207005166191","293236682108603033514880275442727465318","184548145835460818316123714756850878297","26929394811047353936549775145663041748","234833883886567991443154247070588807811","152652648309849732903093461474099320072","105473171054090208979580222112558053678","73458758040443046124580122407287945385","95342543725302552392462330207005166191","293236682108603033514880275442727465318","184548145835460818316123714756850878297","303924817537138302177377503403421379227","190562178755425538742944193484407493280","295222250789982818101907540096750501670","185310990253975377630052674745026912779","147032117456263578289284128795161813100","2395101524007171883795828184359635277","38954888429297238899312249043551197961"],"threshold":0.9},"id":"CVE-2019-16930-629e0210","target":{"file":"src/zcash/Note.cpp"},"source":"https://github.com/zcash/zcash/commit/c1fbf8ab5d73cff5e1f45236995857c75ba4128d","signature_version":"v1","signature_type":"Line"},{"deprecated":false,"digest":{"length":386,"function_hash":"86796552645456208568359934111628771170"},"id":"CVE-2019-16930-d3f77e7b","target":{"function":"SaplingOutgoingPlaintext::decrypt","file":"src/zcash/Note.cpp"},"source":"https://github.com/zcash/zcash/commit/c1fbf8ab5d73cff5e1f45236995857c75ba4128d","signature_version":"v1","signature_type":"Function"}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-16930.json","vanir_signatures_modified":"2026-04-11T12:42:30Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}]}