{"document":{"category":"csaf_vex","csaf_version":"2.0","title":"CVE-2026-49232: Routinator exits when accepting an incoming HTTP or RTR connection fails","publisher":{"category":"vendor","name":"HarborGuard Database","namespace":"https://database.harborguard.co"},"tracking":{"id":"CVE-2026-49232","status":"final","version":"1","initial_release_date":"2026-06-08T12:58:37.695Z","current_release_date":"2026-06-08T15:38:10.504Z","revision_history":[{"date":"2026-06-08T12:58:37.695Z","number":"1","summary":"Initial machine-readable export from HarborGuard."}]},"distribution":{"tlp":{"label":"WHITE"},"text":"Public CVE data; freely redistributable."},"notes":[{"category":"description","text":"Routinator exits on any error when accepting incoming HTTP or RTR connections, including ones it can recover from such as running out of file descriptors. This condition can be triggered maliciously by an attacker by opening a large number of connections to the HTTP or RTR server.\n\nThis only affects users that make their HTTP or RTR server available to untrusted networks.","title":"CVE description"}],"references":[{"category":"self","summary":"CVE-2026-49232 on HarborGuard Database","url":"https://database.harborguard.co/cve/CVE-2026-49232"},{"category":"external","summary":"CVE Record","url":"https://www.cve.org/CVERecord?id=CVE-2026-49232"},{"category":"external","summary":"nlnetlabs.nl","url":"https://www.nlnetlabs.nl/downloads/routinator/CVE-2026-49232.txt"}]},"product_tree":{"branches":[{"category":"vendor","name":"NLnet Labs","branches":[{"category":"product_name","name":"Routinator","branches":[{"category":"product_version","name":"*","product":{"name":"NLnet Labs Routinator *","product_id":"CSAFPID-1","product_identification_helper":{"cpe":"cpe:2.3:a:nlnet_labs:routinator:*:*:*:*:*:*:*:*"}}},{"category":"product_version","name":"0.15.2","product":{"name":"NLnet Labs Routinator 0.15.2","product_id":"CSAFPID-2","product_identification_helper":{"cpe":"cpe:2.3:a:nlnet_labs:routinator:*:*:*:*:*:*:*:*"}}}]}]}]},"vulnerabilities":[{"cve":"CVE-2026-49232","title":"Routinator exits when accepting an incoming HTTP or RTR connection fails","notes":[{"category":"description","text":"Routinator exits on any error when accepting incoming HTTP or RTR connections, including ones it can recover from such as running out of file descriptors. This condition can be triggered maliciously by an attacker by opening a large number of connections to the HTTP or RTR server.\n\nThis only affects users that make their HTTP or RTR server available to untrusted networks.","title":"CVE description"}],"product_status":{"known_affected":["CSAFPID-1"],"fixed":["CSAFPID-2"]},"scores":[{"cvss_v4":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L","baseScore":8.7,"baseSeverity":"HIGH"},"products":["CSAFPID-1"]}],"remediations":[{"category":"vendor_fix","details":"Update to a fixed version: 0.15.2.","product_ids":["CSAFPID-1"]}]}]}