CVE-2026-49232 | THREATINT

Description

Routinator exits on any error when accepting incoming HTTP or RTR connections, including ones it can recover from such as running out of file descriptors. This condition can be triggered maliciously by an attacker by opening a large number of connections to the HTTP or RTR server. This only affects users that make their HTTP or RTR server available to untrusted networks.

PUBLISHED Reserved 2026-05-28 | Published 2026-06-08 | Updated 2026-06-08 | Assigner NLnet Labs

HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L

Problem types

CWE-755 Improper Handling of Exceptional Conditions

Product status

Default status

affected

0.15.2 (semver) before *

unaffected

Timeline

2026-03-28:	Issue reported
2026-06-08:	Fixes released

Credits

X41 D-Sec GmbH finder

References

www.nlnetlabs.nl/downloads/routinator/CVE-2026-49232.txt vendor-advisory

cve.org (CVE-2026-49232)

nvd.nist.gov (CVE-2026-49232)

Download JSON