CVE-2026-49232
HIGHRoutinator exits when accepting an incoming HTTP or RTR connection fails
Title source: cnaDescription
Routinator exits on any error when accepting incoming HTTP or RTR connections, including ones it can recover from such as running out of file descriptors. This condition can be triggered maliciously by an attacker by opening a large number of connections to the HTTP or RTR server. This only affects users that make their HTTP or RTR server available to untrusted networks.
References (1)
Core 1
Core References
Vendor Advisory vendor-advisory
https://www.nlnetlabs.nl/downloads/routinator/CVE-2026-49232.txt
Scores
CVSS v4
8.7
EPSS
0.0033
EPSS Percentile
24.8%
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-755
Status
published
Products (1)
NLnet Labs/Routinator
0.15.2
Published
Jun 08, 2026
Tracked Since
Jun 08, 2026