How is CVE-2026-49232 exploited?

Network reachability (required): The attacker must reach Routinator's HTTP or RTR listener over the network; NLnet Labs notes this only affects deployments that expose those ports to untrusted networks. Authentication (not-required): No credentials are needed; the attacker simply opens connections to the public listener without authenticating. Victim interaction (not-required): No user or operator action is required; the attacker triggers the crash entirely through their own connection attempts. Attack complexity (info): Exploit conditions are straightforward and require no special timing, race conditions, or environmental setup beyond network access to the listener.

What is the impact of CVE-2026-49232?

The Routinator process exits, taking the RPKI validation service offline for the duration of the outage. Route origin validation fails for any BGP router relying on the RTR feed from this Routinator instance, leaving routing decisions without RPKI-derived ROV coverage. Downstream RPKI-dependent infrastructure experiences degraded protection against route hijacks for as long as the service remains down.

Back to search

HIGHCVE-2026-49232Published 2026-06-08Modified 2026-06-08CNA NLnet Labs

CVE-2026-49232: Routinator exits when accepting an incoming HTTP or RTR connection fails

Routinator exits on any error when accepting incoming HTTP or RTR connections, including ones it can recover from such as running out of file descriptors. This condition can be triggered maliciously by an attacker by opening a large number of connections to the HTTP or RTR server. This only affects users that make their HTTP or RTR server available to untrusted networks.

CVSS v4.0: 8.7
Severity: HIGH
Fixed in: 0.15.2
Affected Products: 1

HarborGuard Analysis

Synopsis

This is a denial-of-service vulnerability in NLnet Labs Routinator, the RPKI validator daemon. An unauthenticated remote attacker can open a large number of connections to Routinator's HTTP or RTR listener, exhausting file descriptors and causing the process to exit instead of recovering gracefully. Successful exploitation crashes the Routinator service, disrupting RPKI-based route origin validation and degrading dependent routing infrastructure. A patched-image rebuild at version 0.15.2 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-49232 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of publication by ingesting from upstream NVD and NLnet Labs advisory feeds. Coverage extends to custom-built images that bundle Routinator, including internally maintained base images.

Available

Triage

HarborGuard scores this finding at CVSS 8.7 (HIGH) using the v4.0 vector, with per-environment compliance policy weighting available to escalate or suppress routing based on whether Routinator's HTTP or RTR ports are exposed to untrusted networks. Triage findings are routed to the appropriate team inbox inside each customer organization according to configured ownership rules.

Available

Patch

A patched-image rebuild at Routinator 0.15.2 is available on HarborGuard for any environment running an affected version. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must reach Routinator's HTTP or RTR listener over the network; NLnet Labs notes this only affects deployments that expose those ports to untrusted networks.
AuthenticationNot required
No credentials are needed; the attacker simply opens connections to the public listener without authenticating.
Victim interactionNot required
No user or operator action is required; the attacker triggers the crash entirely through their own connection attempts.
Attack complexityDetail
Exploit conditions are straightforward and require no special timing, race conditions, or environmental setup beyond network access to the listener.

Blast Radius

The Routinator process exits, taking the RPKI validation service offline for the duration of the outage.
Route origin validation fails for any BGP router relying on the RTR feed from this Routinator instance, leaving routing decisions without RPKI-derived ROV coverage.
Downstream RPKI-dependent infrastructure experiences degraded protection against route hijacks for as long as the service remains down.

How HarborGuard Handles This

Available on HarborGuard: images containing Routinator are matched against this CVE at ingest time, and a rebuild against the fixed upstream release 0.15.2 is available for any affected image. For customers who opt into auto-remediation, the flow is fully automated: HarborGuard rebuilds the image, runs regression tests, and opens a pull request against the affected workload, with a median time from CVE publication to merged patch PR of around 90 minutes for high-severity issues in environments with auto-remediation enabled. Where auto-remediation is not enabled, the finding appears in the triage queue with the fix version noted so engineers can act manually. As a compensating control while a rebuild is in progress, customers can apply network policy to restrict access to Routinator's HTTP and RTR ports to trusted upstream peers only, limiting the pool of hosts that can attempt the connection-exhaustion attack.

See how HarborGuard automates this

Fix available

0.15.2

Affected packages

NLnet Labs / Routinator
Fixed in 0.15.2

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L

References

nlnetlabs.nl

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available