Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (NLnet Labs) · only source for this CVE.
CVSS VectorVendor: NLnet Labs
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
When Routinator encounters a file via RRDP using a specifically crafted Document Type Definition, Routinator crashes.
AnalysisAI
Denial of service in NLnet Labs Routinator allows remote attackers to crash the RPKI validator by serving a crafted Document Type Definition (DTD) inside RRDP repository content. Exploitation requires no authentication or user interaction (CVSS 4.0 8.7, VA:H), and no public exploit identified at time of analysis. A successful crash halts RPKI relying-party processing, which can degrade route origin validation for networks that depend on Routinator output.
Technical ContextAI
Routinator is NLnet Labs' RPKI relying-party (RP) implementation that fetches and validates RPKI repository data to produce Validated ROA Payloads (VRPs) consumed by routers for route origin validation. The vulnerable code path is in the RRDP (RPKI Repository Delta Protocol, RFC 8182) client, which retrieves notification, snapshot, and delta XML documents from publication points. The CWE-755 (Improper Handling of Exceptional Conditions) classification indicates Routinator does not safely handle a maliciously constructed Document Type Definition embedded in the XML, propagating an unhandled error condition that terminates the process. The affected component per CPE is cpe:2.3:a:nlnet_labs:routinator across all versions prior to the fix.
RemediationAI
Vendor-released patch: upgrade to Routinator 0.15.2 or later, per the NLnet Labs advisory at https://www.nlnetlabs.nl/downloads/routinator/CVE-2026-49235.txt. As a temporary compensating control until the upgrade is deployed, operators can restrict Routinator to use rsync-only fetching for trust anchors (disabling RRDP via configuration), which avoids the vulnerable XML/DTD parsing path but increases synchronization latency and bandwidth usage and may not be supported by all publication points. Monitoring the Routinator process for unexpected exits and configuring automatic restart (systemd Restart=on-failure) reduces availability impact but does not prevent the crash itself.
More in Routinator
View allAn issue was discovered in NLnet Labs Routinator 0.1.0 through 0.7.1. Rated high severity (CVSS 7.4), this vulnerability
Denial of service in NLnet Labs Routinator allows remote unauthenticated attackers to crash the daemon by opening a larg
Path traversal in NLnet Labs Routinator allows remote attackers to escape the rsync cache directory by supplying rsync U
Denial of service in NLnet Labs Routinator (an RPKI Relying Party software) allows remote attackers to crash the daemon
Due to a mistake in error checking, Routinator will terminate when an incoming RTR connection is reset by the peer too q
NLnet Labs' Routinator up to and including version 0.12.1 may crash when trying to parse certain malformed RPKI objects.
In NLnet Labs Routinator 0.9.0 up to and including 0.11.2, due to a mistake in error handling, data in RRDP snapshot and
NLnet Labs Routinator versions 0.9.0 up to and including 0.10.1, support the gzip transfer encoding when querying RRDP r
In NLnet Labs Routinator prior to 0.10.2, a validation run can be delayed significantly by an RRDP repository by not ans
NLnet Labs Routinator prior to 0.10.2 happily processes a chain of RRDP repositories of infinite length causing it to ne
NLnet Labs Routinator prior to 0.10.0 produces invalid RTR payload if an RPKI CA uses too large values in the max-length
NLnet Labs’ Routinator 0.9.0 up to and including 0.12.1 as well as 0.14.0 up to and including 0.14.2 contains a possible
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35065
GHSA-5qf9-cf9c-hjc6