CVE-2026-49234— Routinator crashes on specifically crafted ASN strings in the API
Possible ATT&CK Techniques 2AI
T1210 · Exploitation of Remote Services T1190 · Exploit Public-Facing ApplicationAffected Version Matrix 1
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| NLnet Labs | Routinator | 0.15.2< * | unaffected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-49234
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Routinator crashes on specifically crafted ASN strings in the API
Source: NVD (National Vulnerability Database)
Vulnerability Description
When sending a specifically crafted non-UTF-8 string as select-asn query parameter to the /api/v1/origins endpoint, Routinator crashes. This only affects users who allow API access from untrusted networks.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
输入验证不恰当
Source: NVD (National Vulnerability Database)
Vulnerability Title
NLnet Labs Routinator 输入验证错误漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
NLnet Labs Routinator是NLnet Labs开源的一个RPKI路由起源验证服务。 NLnet Labs Routinator存在输入验证错误漏洞,该漏洞源于向/api/v1/origins端点发送特制非UTF-8字符串作为select-asn查询参数时可能导致崩溃。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| NLnet Labs | Routinator | 0.15.2 ~ * | - |
II. Public POCs for CVE-2026-49234
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-49234
请登录查看更多情报信息。
Vendor Advisories for CVE-2026-49234 (1)
Same Patch Batch · NLnet Labs · 2026-06-08 · 4 CVEs total
| CVE-2026-49233 | Routinator cache path traversal using rogue rsync URIs | |
| CVE-2026-49232 | Routinator exits when accepting an incoming HTTP or RTR connection fails | |
| CVE-2026-49235 | Routinator crashes on specifically crafted RRDP XML files |
IV. Related Vulnerabilities
Same product: Routinator
- CVE-2026-49235
Routinator crashes on specifically crafted RRDP XML files - CVE-2026-49233
Routinator cache path traversal using rogue rsync URIs - CVE-2026-49232
Routinator exits when accepting an incoming HTTP or RTR conn - CVE-2025-0638
Routinator crashes when illegal characters are present in ma - CVE-2024-1622
Routinator terminates when RTR connection is reset too quick
Same vendor: NLnet Labs
- CVE-2026-12490
Bypass of client certificate verification with transfer over - CVE-2026-12246
Out of bounds stack write with crafted APL RR - CVE-2026-12245
Denial of DNS over TLS service by any DoT client - CVE-2026-12244
Heap overflow and crash with crafted SVCB RR - CVE-2026-10846
Insufficient verification that responses belong to a query
Same weakness: CWE-20
- CVE-2026-13434
Virt-controller-rhel9: kubevirt: kubevirt: multus default-ne - CVE-2026-52801
Gogs: Ability to import local repositories via Mirror Settin - CVE-2025-64719
Gogs: Denial of Service in repository/wiki file listing web - CVE-2026-13024
Chrome <149.0.7827.197 导航输入验证不足致站点隔离绕过 - CVE-2026-13025
Chrome<149.0.7827.197 DevTools竞态条件致沙箱逃逸
V. Comments for CVE-2026-49234
No comments yet