CVE-2026-49235: Routinator RPKI Validator Denial of Service via Malicious RRDP Document
Routinator, a RPKI validator from NLnet Labs, crashes when processing specially crafted XML files delivered through the RRDP protocol. An attacker can trigger this denial-of-service condition remotely without authentication, making the service unavailable to legitimate users who depend on it for RPKI validation.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-755
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-08 / 2026-06-17
NVD description (verbatim)
When Routinator encounters a file via RRDP using a specifically crafted Document Type Definition, Routinator crashes.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-49235 is a denial-of-service vulnerability in Routinator stemming from improper handling of malformed Document Type Definitions (DTDs) in RRDP (RPKI Repository Delta Protocol) payloads. When Routinator processes a specially constructed DTD, the application crashes due to insufficient input validation, causing an uncontrolled exception. The vulnerability is reachable over the network, requires no privileges or user interaction, and affects the availability vector of the system. The underlying weakness is classified under CWE-755 (Improper Handling of Exceptional Conditions).
Business impact
Organizations operating RPKI validation infrastructure depend on Routinator to maintain route origin validation, a critical component of BGP security. Service crashes disrupt the continuous synchronization of RPKI data, potentially leaving networks unable to validate route announcements. In environments where Routinator is the sole or primary validator, repeated crashes can degrade operational confidence in RPKI deployment and create windows where legitimate route updates cannot be validated, affecting network reliability and potentially impacting upstream and downstream network partners.
Affected systems
NLnet Labs Routinator is affected. The vulnerability applies to instances receiving RRDP updates from untrusted or compromised RPKI repositories. Organizations running Routinator in production for RPKI validation are at risk, particularly those without redundant validator instances or rate-limiting mitigations in place.
Exploitability
This vulnerability is highly exploitable in practical scenarios. It requires only network access to the RRDP endpoint and can be triggered remotely without authentication or user interaction. An attacker with the ability to inject a malicious RRDP document (e.g., via a compromised repository, man-in-the-middle attack, or by controlling a public repository) can crash any Routinator instance that processes the file. No special tooling or advanced capabilities are needed beyond crafting a malicious XML document with a specific DTD pattern.
Remediation
Apply patches released by NLnet Labs to address the DTD handling vulnerability. Immediately update Routinator to a patched version once available. As an interim mitigation, restrict RRDP sources to trusted repositories and implement network-level filtering to reduce exposure to untrusted RRDP endpoints. Consider deploying multiple Routinator instances behind a load balancer to provide resilience against individual crashes. Monitor Routinator logs for unexpected terminations and set up alerting on service restarts.
Patch guidance
Consult the NLnet Labs security advisory and release notes for patched Routinator versions that address this DTD handling issue. Verify the specific version number against the vendor's official security announcement. Test patches in a non-production environment to confirm RRDP functionality and stability before deployment. Plan a maintenance window to deploy patches across all Routinator instances in your RPKI validation infrastructure.
Detection guidance
Monitor Routinator process logs and system logs for unexpected crashes or segmentation faults correlating with RRDP synchronization events. Implement alerting on Routinator service restarts or abnormal terminations. If available, enable verbose logging in Routinator to capture details of malformed RRDP documents received. Network-based detection is challenging without deep packet inspection of RRDP traffic; focus instead on operational monitoring of Routinator availability and graceful recovery procedures.
Why prioritize this
Despite not being on the KEV catalog, this vulnerability merits rapid patching due to its high CVSS score (7.5), lack of authentication requirements, remote exploitability, and direct impact on critical BGP security infrastructure. The ease of exploitation and potential for service disruption in RPKI validation make this a priority for organizations relying on Routinator for route origin validation.
Risk score, explained
The CVSS 3.1 score of 7.5 (HIGH) reflects a network-accessible denial-of-service condition with no authentication barrier and no user interaction required. The vulnerability does not compromise confidentiality or integrity, but its impact on availability is complete—the service becomes unavailable. The lack of complexity in the attack vector and the simplicity of triggering the crash through a malicious RRDP document push this into the HIGH severity band.
Frequently asked questions
What is RRDP and why does Routinator use it?
RRDP (RPKI Repository Delta Protocol) is a protocol for distributing RPKI (Resource Public Key Infrastructure) data efficiently. Routinator uses RRDP to synchronize route origin validation data from RPKI repositories. It is a core component of BGP security infrastructure.
Can an attacker exploit this to steal data or modify routes?
No. This vulnerability only causes a denial-of-service (crash). It does not allow data theft, integrity violation, or route hijacking. However, by crashing the validator, an attacker can prevent legitimate route validation, which indirectly degrades security.
Is my Routinator instance vulnerable if I only use private RPKI repositories?
Your risk is lower but not eliminated. If a private repository is compromised or if an insider can inject malicious RRDP documents, the vulnerability can still be triggered. Apply patches regardless of repository trust level for defense-in-depth.
What should I do if Routinator keeps crashing after seeing this advisory?
Update to the latest patched version immediately. If patches are not yet available, consider deploying multiple redundant Routinator instances and implementing network segmentation to limit exposure to untrusted RRDP sources. Contact NLnet Labs for guidance on interim workarounds.
This analysis is based on the CVE record published on 2026-06-08 and modified on 2026-06-17. Specific patch versions and detailed mitigation guidance should be verified against the official NLnet Labs security advisory and release notes. This vulnerability is not currently on the CISA KEV catalog. Organizations should assess their own risk based on Routinator deployment topology, RPKI repository configuration, and network exposure. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-40371HIGHMicrosoft Dynamics 365 On-Premises Privilege Escalation (CVSS 8.8 HIGH)
- CVE-2026-9516HIGHCpanel::JSON::XS Denial of Service via UTF-8 BOM and Filter Callbacks
- CVE-2026-48524LOWPyJWT Denial of Service via Unlimited JWKS Requests
- CVE-2026-49233HIGHRoutinator Path Traversal Vulnerability – Urgent BGP Security Risk
- CVE-2026-49234HIGHRoutinator API Denial of Service via Non-UTF-8 Input
- CVE-2016-20062HIGHSQL Injection in Simply Poll 1.4.1 WordPress Plugin - Unauthenticated Data Theft
- CVE-2016-20063HIGHSQL Injection in Single Personal Message 1.0.3 – Credential & Data Theft Risk
- CVE-2016-20065HIGHUnauthenticated SQL Injection in Product Catalog 8 WordPress Plugin