Skip to main content

Ntpd Rs CVE-2026-26076

HIGH
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-02-12 security-advisories@github.com
7.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
HIGH
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 12, 2026 - 22:02 vuln.today
Patch released
Feb 23, 2026 - 15:51 nvd
Patch available
CVE Published
Feb 12, 2026 - 22:16 nvd
HIGH 7.5

DescriptionGitHub Advisory

ntpd-rs is a full-featured implementation of the Network Time Protocol. Prior to 1.7.1, an attacker can remotely induce moderate increases (2-4 times above normal) in cpu usage. When having NTS enabled on an ntpd-rs server, an attacker can create malformed NTS packets that take significantly more effort for the server to respond to by requesting a large number of cookies. This can lead to degraded server performance even when a server could otherwise handle the load. This vulnerability is fixed in 1.7.1.

AnalysisAI

ntpd-rs versions prior to 1.7.1 are vulnerable to remote denial of service through crafted NTS (Network Time Protocol Security) packets that force excessive CPU consumption on affected servers. An unauthenticated attacker can exploit this by sending malformed NTS cookie requests that require significantly more processing resources to handle, degrading server performance and availability. The vulnerability affects ntpd-rs deployments with NTS enabled and is resolved in version 1.7.1.

Technical ContextAI

This vulnerability (CWE-770: Allocation of Resources Without Limits or Throttling) affects Ntpd-Rs. ntpd-rs is a full-featured implementation of the Network Time Protocol. Prior to 1.7.1, an attacker can remotely induce moderate increases (2-4 times above normal) in cpu usage. When having NTS enabled on an ntpd-rs server, an attacker can create malformed NTS packets that take significantly more effort for the server to respond to by requesting a large number of cookies. This can lead to degraded server performance even when a server could otherwise handle the load. This vulnerability is fixed

RemediationAI

A vendor patch is available — apply it immediately. Fixed in version 1.7.1.. Restrict network access to the affected service where possible.

Vendor StatusVendor

SUSE

Severity: High

Share

CVE-2026-26076 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy