Description
When Routinator encounters a file via RRDP using a specifically crafted Document Type Definition, Routinator crashes.
Published: 2026-06-08
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Routinator, the RRDP client used by NLnet Labs, suffers from a denial‑of‑service flaw when it processes a specially crafted document type definition within an RRDP XML stream. The vulnerability, classified as CWE‑755 (Uncontrolled Resource Consumption), causes the program to crash, disrupting downstream operations that rely on RRDP data.

Affected Systems

The affected product is NLnet Labs Routinator, any release older than version 0.15.2. Version 0.15.2 and later contain the upstream fix that prevents crashes on malformed DTDs.

Risk and Exploitability

The CVSS score of 8.7 indicates a high severity risk. No EPSS value is reported and the flaw is not listed in CISA’s KEV catalog. The likely attack vector is a remote attacker feeding the vulnerable RRDP client a crafted XML file via the RRDP protocol, leading to a crash that interrupts the service. The absence of an exploit probability metric suggests the likelihood is not precisely measured, but the high CVSS score signals significant risk if not mitigated.

Generated by OpenCVE AI on June 8, 2026 at 15:23 UTC.

Remediation

Vendor Solution

This issue is fixed in 0.15.2 and all later versions.

OpenCVE Recommended Actions

  • Apply the fix by upgrading Routinator to version 0.15.2 or newer.
  • If an upgrade cannot be performed immediately, suspend RRDP synchronization from external sources until the patch is applied, thereby preventing the crash from occurring.
  • Enable comprehensive logging or monitoring of RRDP parsing errors so that any unexpected XML‑processing failures are detected and addressed promptly.

Generated by OpenCVE AI on June 8, 2026 at 15:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 08 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 08 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Description When Routinator encounters a file via RRDP using a specifically crafted Document Type Definition, Routinator crashes.
Title Routinator crashes on specifically crafted RRDP XML files
Weaknesses CWE-755
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: NLnet Labs

Published:

Updated: 2026-06-08T15:40:07.732Z

Reserved: 2026-05-28T08:28:56.664Z

Link: CVE-2026-49235

cve-icon Vulnrichment

Updated: 2026-06-08T15:40:03.365Z

cve-icon NVD

Status : Received

Published: 2026-06-08T15:16:48.350

Modified: 2026-06-08T15:16:48.350

Link: CVE-2026-49235

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-08T15:30:27Z

Weaknesses