PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-49235 Nlnetlabs CVE debrief

CVE-2026-49235 is a HIGH severity vulnerability in Routinator, a software developed by Nlnetlabs. The vulnerability occurs when Routinator encounters a file via RRDP (Resource Public Key Infrastructure Repository Delta Protocol) using a specifically crafted Document Type Definition, causing the software to crash. The vulnerability has a CVSS score of 8.7 and was published on 2026-06-08T15:16:48.350Z.

Vendor
Nlnetlabs
Product
Routinator
CVSS
HIGH 8.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-08
Original CVE updated
2026-06-12
Advisory published
2026-06-08
Advisory updated
2026-06-12

Who should care

Users of Routinator, particularly those who rely on RRDP for resource public key infrastructure repository delta protocol, should be aware of this vulnerability and take necessary actions to mitigate it.

Technical summary

The vulnerability is caused by a specifically crafted Document Type Definition in RRDP, which leads to a crash in Routinator. The affected product is Routinator, with a CPE criteria of cpe:2.3:a:nlnetlabs:routinator:*:*:*:*:*:*:*:*, and the vulnerable version is prior to 0.15.2.

Defensive priority

HIGH

Recommended defensive actions

  • Users should update Routinator to a version that is not vulnerable (0.15.2 or later).
  • Users should review and follow the vendor advisory for CVE-2026-49235 at resourceLinkAnnotations with id 'ref-4'.

Evidence notes

The vulnerability was published on 2026-06-08T15:16:48.350Z and modified on 2026-06-12T01:37:20.890Z. The CVSS vector is CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X.

Official resources

CVE-2026-49235 was published on 2026-06-08T15:16:48.350Z and modified on 2026-06-12T01:37:20.890Z.