CVE-2026-49232 (GCVE-0-2026-49232)
Vulnerability from cvelistv5 – Published: 2026-06-08 12:58 – Updated: 2026-06-08 15:38
VLAI?
Title
Routinator exits when accepting an incoming HTTP or RTR connection fails
Summary
Routinator exits on any error when accepting incoming HTTP or RTR connections, including ones it can recover from such as running out of file descriptors. This condition can be triggered maliciously by an attacker by opening a large number of connections to the HTTP or RTR server.
This only affects users that make their HTTP or RTR server available to untrusted networks.
Severity ?
CWE
- CWE-755 - Improper Handling of Exceptional Conditions
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| NLnet Labs | Routinator |
Unaffected:
0.15.2 , < *
(semver)
|
Credits
X41 D-Sec GmbH
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-49232",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-08T15:38:04.659833Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-08T15:38:10.504Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Routinator",
"vendor": "NLnet Labs",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0.15.2",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "X41 D-Sec GmbH"
}
],
"datePublic": "2026-06-08T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Routinator exits on any error when accepting incoming HTTP or RTR connections, including ones it can recover from such as running out of file descriptors. This condition can be triggered maliciously by an attacker by opening a large number of connections to the HTTP or RTR server.\n\nThis only affects users that make their HTTP or RTR server available to untrusted networks."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 8.7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L",
"version": "4.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-755",
"description": "CWE-755 Improper Handling of Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-08T12:58:37.695Z",
"orgId": "206fc3a0-e175-490b-9eaa-a5738056c9f6",
"shortName": "NLnet Labs"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.nlnetlabs.nl/downloads/routinator/CVE-2026-49232.txt"
}
],
"solutions": [
{
"lang": "en",
"value": "This issue is fixed in 0.15.2 and all later versions."
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-28T00:00:00.000Z",
"value": "Issue reported"
},
{
"lang": "en",
"time": "2026-06-08T00:00:00.000Z",
"value": "Fixes released"
}
],
"title": "Routinator exits when accepting an incoming HTTP or RTR connection fails",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "206fc3a0-e175-490b-9eaa-a5738056c9f6",
"assignerShortName": "NLnet Labs",
"cveId": "CVE-2026-49232",
"datePublished": "2026-06-08T12:58:37.695Z",
"dateReserved": "2026-05-28T08:28:56.664Z",
"dateUpdated": "2026-06-08T15:38:10.504Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…