Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Routinator exits on any error when accepting incoming HTTP or RTR connections, including ones it can recover from such as running out of file descriptors. This condition can be triggered maliciously by an attacker by opening a large number of connections to the HTTP or RTR server.
This only affects users that make their HTTP or RTR server available to untrusted networks.
AnalysisAI
Denial of service in NLnet Labs Routinator allows remote unauthenticated attackers to crash the daemon by opening a large number of HTTP or RTR connections, exhausting file descriptors and triggering an unrecoverable exit. Only deployments exposing the HTTP or RTR server to untrusted networks are affected. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Technical ContextAI
Routinator is NLnet Labs' RPKI (Resource Public Key Infrastructure) Relying Party validator, used by network operators to fetch and validate signed prefix-origin attestations and feed them to BGP routers over the RPKI-to-Router (RTR) protocol, plus an HTTP interface for metrics and JSON/CSV exports. The defect is classified as CWE-755 (Improper Handling of Exceptional Conditions): the connection accept loop on both listeners treats any error returned by accept() as fatal and terminates the process, rather than distinguishing transient/recoverable errors (such as EMFILE/ENFILE when the per-process file descriptor table is exhausted) from genuinely fatal ones. An attacker who can reach the listening sockets can therefore deterministically push the descriptor table over its limit and cause the validator to exit.
RemediationAI
Vendor-released patch: upgrade Routinator to 0.15.2 or later, as documented at https://www.nlnetlabs.nl/downloads/routinator/CVE-2026-49232.txt. As an interim compensating control, restrict the RTR listener (default TCP/3323 or 8323) and the HTTP listener (default TCP/8323/9556) to trusted router peers and monitoring hosts via host firewall (iptables/nftables) or by binding to a management interface or loopback only, since the vendor explicitly notes the issue only affects deployments exposing these services to untrusted networks; the trade-off is that any router or monitoring system not on the allowlist will lose its RTR/metrics feed. Operators can additionally raise the process file descriptor limit (ulimit -n / LimitNOFILE in the systemd unit) and run Routinator under a supervisor that restarts it on exit to reduce, but not eliminate, the outage window - neither of these prevents the crash itself.
More in Routinator
View allAn issue was discovered in NLnet Labs Routinator 0.1.0 through 0.7.1. Rated high severity (CVSS 7.4), this vulnerability
Denial of service in NLnet Labs Routinator allows remote attackers to crash the RPKI validator by serving a crafted Docu
Path traversal in NLnet Labs Routinator allows remote attackers to escape the rsync cache directory by supplying rsync U
Denial of service in NLnet Labs Routinator (an RPKI Relying Party software) allows remote attackers to crash the daemon
Due to a mistake in error checking, Routinator will terminate when an incoming RTR connection is reset by the peer too q
NLnet Labs' Routinator up to and including version 0.12.1 may crash when trying to parse certain malformed RPKI objects.
In NLnet Labs Routinator 0.9.0 up to and including 0.11.2, due to a mistake in error handling, data in RRDP snapshot and
NLnet Labs Routinator versions 0.9.0 up to and including 0.10.1, support the gzip transfer encoding when querying RRDP r
In NLnet Labs Routinator prior to 0.10.2, a validation run can be delayed significantly by an RRDP repository by not ans
NLnet Labs Routinator prior to 0.10.2 happily processes a chain of RRDP repositories of infinite length causing it to ne
NLnet Labs Routinator prior to 0.10.0 produces invalid RTR payload if an RPKI CA uses too large values in the max-length
NLnet Labs’ Routinator 0.9.0 up to and including 0.12.1 as well as 0.14.0 up to and including 0.14.2 contains a possible
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35062
GHSA-9vvr-6hrm-363j