Description
Routinator exits on any error when accepting incoming HTTP or RTR connections, including ones it can recover from such as running out of file descriptors. This condition can be triggered maliciously by an attacker by opening a large number of connections to the HTTP or RTR server.

This only affects users that make their HTTP or RTR server available to untrusted networks.
Published: 2026-06-08
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability causes Routinator to terminate when any error occurs while accepting incoming HTTP or RTR connections, including recoverable errors such as exhaustion of file descriptors. This results in a denial of service by crashing the process, affecting the availability of routing data services processed by the server.

Affected Systems

The affected product is NLnet Labs Routinator. Versions prior to 0.15.2 are impacted; the issue was resolved in 0.15.2 and later releases.

Risk and Exploitability

The CVSS score of 8.7 indicates a high severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. The attack can be mounted by an adversary that can reach the HTTP or RTR endpoints from an untrusted network; by opening a large number of connections, the attacker can trigger the error condition that leads Routinator to exit. This exploits a flaw in error handling, classifying it as CWE-755.

Generated by OpenCVE AI on June 8, 2026 at 15:24 UTC.

Remediation

Vendor Solution

This issue is fixed in 0.15.2 and all later versions.

OpenCVE Recommended Actions

  • Update Routinator to version 0.15.2 or later to apply the vendor fix.
  • Restrict the HTTP and RTR services to trusted internal networks or limit external access via firewall rules.
  • Implement connection limits or rate‑limiting on the HTTP and RTR endpoints to prevent large numbers of simultaneous connections from triggering the crash.

Generated by OpenCVE AI on June 8, 2026 at 15:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 08 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 08 Jun 2026 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Nlnetlabs
Nlnetlabs routinator
Vendors & Products Nlnetlabs
Nlnetlabs routinator

Mon, 08 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Description Routinator exits on any error when accepting incoming HTTP or RTR connections, including ones it can recover from such as running out of file descriptors. This condition can be triggered maliciously by an attacker by opening a large number of connections to the HTTP or RTR server. This only affects users that make their HTTP or RTR server available to untrusted networks.
Title Routinator exits when accepting an incoming HTTP or RTR connection fails
Weaknesses CWE-755
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L'}

Subscriptions

Nlnetlabs Routinator
cve-icon MITRE

Status: PUBLISHED

Assigner: NLnet Labs

Published:

Updated: 2026-06-08T15:38:10.504Z

Reserved: 2026-05-28T08:28:56.664Z

Link: CVE-2026-49232

cve-icon Vulnrichment

Updated: 2026-06-08T15:38:07.264Z

cve-icon NVD

Status : Received

Published: 2026-06-08T15:16:47.293

Modified: 2026-06-08T15:16:47.293

Link: CVE-2026-49232

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-08T16:00:14Z

Weaknesses