Skip to main content

Routinator CVE-2026-49235

| EUVDEUVD-2026-35065 HIGH
Improper Handling of Exceptional Conditions (CWE-755)
2026-06-08 NLnet Labs GHSA-5qf9-cf9c-hjc6
8.7
CVSS 4.0 · Vendor: NLnet Labs
Share

Severity by source

Vendor (NLnet Labs) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (NLnet Labs) · only source for this CVE.

CVSS VectorVendor: NLnet Labs

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
Jun 08, 2026 - 16:50 vuln.today
CVSS changed
Jun 08, 2026 - 15:37 NVD
8.7 (HIGH)
CVE Published
Jun 08, 2026 - 12:59 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

When Routinator encounters a file via RRDP using a specifically crafted Document Type Definition, Routinator crashes.

AnalysisAI

Denial of service in NLnet Labs Routinator allows remote attackers to crash the RPKI validator by serving a crafted Document Type Definition (DTD) inside RRDP repository content. Exploitation requires no authentication or user interaction (CVSS 4.0 8.7, VA:H), and no public exploit identified at time of analysis. A successful crash halts RPKI relying-party processing, which can degrade route origin validation for networks that depend on Routinator output.

Technical ContextAI

Routinator is NLnet Labs' RPKI relying-party (RP) implementation that fetches and validates RPKI repository data to produce Validated ROA Payloads (VRPs) consumed by routers for route origin validation. The vulnerable code path is in the RRDP (RPKI Repository Delta Protocol, RFC 8182) client, which retrieves notification, snapshot, and delta XML documents from publication points. The CWE-755 (Improper Handling of Exceptional Conditions) classification indicates Routinator does not safely handle a maliciously constructed Document Type Definition embedded in the XML, propagating an unhandled error condition that terminates the process. The affected component per CPE is cpe:2.3:a:nlnet_labs:routinator across all versions prior to the fix.

RemediationAI

Vendor-released patch: upgrade to Routinator 0.15.2 or later, per the NLnet Labs advisory at https://www.nlnetlabs.nl/downloads/routinator/CVE-2026-49235.txt. As a temporary compensating control until the upgrade is deployed, operators can restrict Routinator to use rsync-only fetching for trust anchors (disabling RRDP via configuration), which avoids the vulnerable XML/DTD parsing path but increases synchronization latency and bandwidth usage and may not be supported by all publication points. Monitoring the Routinator process for unexpected exits and configuring automatic restart (systemd Restart=on-failure) reduces availability impact but does not prevent the crash itself.

CVE-2020-17366 HIGH POC
7.4 Aug 05

An issue was discovered in NLnet Labs Routinator 0.1.0 through 0.7.1. Rated high severity (CVSS 7.4), this vulnerability

CVE-2026-49232 HIGH
8.7 Jun 08

Denial of service in NLnet Labs Routinator allows remote unauthenticated attackers to crash the daemon by opening a larg

CVE-2026-49233 HIGH
8.3 Jun 08

Path traversal in NLnet Labs Routinator allows remote attackers to escape the rsync cache directory by supplying rsync U

CVE-2026-49234 HIGH
8.2 Jun 08

Denial of service in NLnet Labs Routinator (an RPKI Relying Party software) allows remote attackers to crash the daemon

CVE-2024-1622 HIGH
7.5 Feb 26

Due to a mistake in error checking, Routinator will terminate when an incoming RTR connection is reset by the peer too q

CVE-2023-39915 HIGH
7.5 Sep 13

NLnet Labs' Routinator up to and including version 0.12.1 may crash when trying to parse certain malformed RPKI objects.

CVE-2022-3029 HIGH
7.5 Sep 13

In NLnet Labs Routinator 0.9.0 up to and including 0.11.2, due to a mistake in error handling, data in RRDP snapshot and

CVE-2021-43174 HIGH
7.5 Nov 09

NLnet Labs Routinator versions 0.9.0 up to and including 0.10.1, support the gzip transfer encoding when querying RRDP r

CVE-2021-43173 HIGH
7.5 Nov 09

In NLnet Labs Routinator prior to 0.10.2, a validation run can be delayed significantly by an RRDP repository by not ans

CVE-2021-43172 HIGH
7.5 Nov 09

NLnet Labs Routinator prior to 0.10.2 happily processes a chain of RRDP repositories of infinite length causing it to ne

CVE-2021-41531 HIGH
7.5 Sep 21

NLnet Labs Routinator prior to 0.10.0 produces invalid RTR payload if an RPKI CA uses too large values in the max-length

CVE-2023-39916 MEDIUM
6.5 Sep 13

NLnet Labs’ Routinator 0.9.0 up to and including 0.12.1 as well as 0.14.0 up to and including 0.14.2 contains a possible

Share

CVE-2026-49235 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy