Routinator exits when accepting an incoming HTTP or RTR connection fails
CVE-2026-49232

8.7HIGH

Key Information:

Vendor: Nlnet Labs
Status: Routinator
Vendor: CVE Published:; 8 June 2026

What is CVE-2026-49232?

Routinator exits on any error when accepting incoming HTTP or RTR connections, including ones it can recover from such as running out of file descriptors. This condition can be triggered maliciously by an attacker by opening a large number of connections to the HTTP or RTR server.

This only affects users that make their HTTP or RTR server available to untrusted networks.

Affected Version(s)

Routinator 0.15.2

References

https://www.nlnetlabs.nl/downloads/routinator/CVE-2026-49...

vendor-advisory

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 8, 2026
Vulnerability Reserved
May 28, 2026

Credit

X41 D-Sec GmbH

CVE-2026-49232 Data

JSON

Nlnet Labs

What is CVE-2026-49232?

Affected Version(s)

References

CVSS V4

Timeline

Credit