CVE-2026-49232 PUBLISHED

Routinator exits when accepting an incoming HTTP or RTR connection fails

Assigner: NLnet Labs
Reserved: 28.05.2026 Published: 08.06.2026 Updated: 08.06.2026

Routinator exits on any error when accepting incoming HTTP or RTR connections, including ones it can recover from such as running out of file descriptors. This condition can be triggered maliciously by an attacker by opening a large number of connections to the HTTP or RTR server.

This only affects users that make their HTTP or RTR server available to untrusted networks.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L
CVSS Score: 8.7

Product Status

Vendor NLnet Labs
Product Routinator
Versions Default: affected
  • unaffected from 0.15.2 to * (excl.)

Solutions

This issue is fixed in 0.15.2 and all later versions.

Credits

  • X41 D-Sec GmbH finder

References

Problem Types

  • CWE-755 Improper Handling of Exceptional Conditions CWE