Description
ntpd-rs is a full-featured implementation of the Network Time Protocol. Prior to 1.7.1, an attacker can remotely induce moderate increases (2-4 times above normal) in cpu usage. When having NTS enabled on an ntpd-rs server, an attacker can create malformed NTS packets that take significantly more effort for the server to respond to by requesting a large number of cookies. This can lead to degraded server performance even when a server could otherwise handle the load. This vulnerability is fixed in 1.7.1.
Published: 2026-02-12
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via CPU exhaustion
Action: Apply Patch
AI Analysis

Impact

An attacker can send malformed NTS packets to ntpd-rs, triggering a CPU‑intensive cookie request loop. This causes moderate CPU load increases, degrading service availability. The flaw is a resource exhaustion vulnerability (CWE‑770).

Affected Systems

The vulnerability affects pendulum-project ntpd-rs implementations before version 1.7.1. Any system running ntpd‑rs versions 1.0 through 1.7.0 with NTS enabled is susceptible. Confirm server version and upgrade if needed.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity. The EPSS score is below 1 %, suggesting low current exploitation probability, and the issue is not listed in the KEV catalog. However, the flaw is exploitable over the network by sending crafted NTS packets to a reachable ntpd‑rs instance. The required conditions are that NTS be enabled and the server accepts incoming traffic, making the vulnerability remotely exploitable for disruption.

Generated by OpenCVE AI on April 17, 2026 at 19:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ntpd-rs to version 1.7.1 or later to remove the resource exhaustion flaw.
  • If an immediate upgrade is not possible, disable NTS support on the ntpd‑rs server to eliminate the attack vector.
  • After applying mitigation, monitor CPU utilization for unusual spikes and restrict NTP traffic with firewall rules as an additional precaution.

Generated by OpenCVE AI on April 17, 2026 at 19:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Feb 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Tweedegolf
Tweedegolf ntpd-rs
CPEs cpe:2.3:a:tweedegolf:ntpd-rs:*:*:*:*:*:rust:*:*
Vendors & Products Tweedegolf
Tweedegolf ntpd-rs
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Fri, 13 Feb 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Pendulum-project
Pendulum-project ntpd-rs
Vendors & Products Pendulum-project
Pendulum-project ntpd-rs

Fri, 13 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 12 Feb 2026 22:00:00 +0000

Type Values Removed Values Added
Description ntpd-rs is a full-featured implementation of the Network Time Protocol. Prior to 1.7.1, an attacker can remotely induce moderate increases (2-4 times above normal) in cpu usage. When having NTS enabled on an ntpd-rs server, an attacker can create malformed NTS packets that take significantly more effort for the server to respond to by requesting a large number of cookies. This can lead to degraded server performance even when a server could otherwise handle the load. This vulnerability is fixed in 1.7.1.
Title ntpd-rs affected by excessive CPU load from malformed packets
Weaknesses CWE-770
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Pendulum-project Ntpd-rs
Tweedegolf Ntpd-rs
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-13T16:00:13.690Z

Reserved: 2026-02-10T18:01:31.901Z

Link: CVE-2026-26076

cve-icon Vulnrichment

Updated: 2026-02-13T16:00:08.904Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-12T22:16:06.960

Modified: 2026-02-23T15:51:55.747

Link: CVE-2026-26076

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T20:00:09Z

Weaknesses