{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-26076", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-10T18:01:31.901Z", "datePublished": "2026-02-12T21:48:44.651Z", "dateUpdated": "2026-02-13T16:00:13.690Z"}, "containers": {"cna": {"title": "ntpd-rs affected by excessive CPU load from malformed packets", "problemTypes": [{"descriptions": [{"cweId": "CWE-770", "lang": "en", "description": "CWE-770: Allocation of Resources Without Limits or Throttling", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 6.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/pendulum-project/ntpd-rs/security/advisories/GHSA-c7j7-rmvr-fjmv", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/pendulum-project/ntpd-rs/security/advisories/GHSA-c7j7-rmvr-fjmv"}, {"name": "https://github.com/pendulum-project/ntpd-rs/commit/fa73af14d17b666b1142b9fee3ba22c18a841d24", "tags": ["x_refsource_MISC"], "url": "https://github.com/pendulum-project/ntpd-rs/commit/fa73af14d17b666b1142b9fee3ba22c18a841d24"}, {"name": "https://github.com/pendulum-project/ntpd-rs/releases/tag/v1.7.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/pendulum-project/ntpd-rs/releases/tag/v1.7.1"}], "affected": [{"vendor": "pendulum-project", "product": "ntpd-rs", "versions": [{"version": "< 1.7.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-12T21:48:44.651Z"}, "descriptions": [{"lang": "en", "value": "ntpd-rs is a full-featured implementation of the Network Time Protocol. Prior to 1.7.1, an attacker can remotely induce moderate increases (2-4 times above normal) in cpu usage. When having NTS enabled on an ntpd-rs server, an attacker can create malformed NTS packets that take significantly more effort for the server to respond to by requesting a large number of cookies. This can lead to degraded server performance even when a server could otherwise handle the load. This vulnerability is fixed in 1.7.1."}], "source": {"advisory": "GHSA-c7j7-rmvr-fjmv", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-13T15:59:59.828414Z", "id": "CVE-2026-26076", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-13T16:00:13.690Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-26076", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-13T15:59:59.828414Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-13T16:00:08.904Z"}}], "cna": {"title": "ntpd-rs affected by excessive CPU load from malformed packets", "source": {"advisory": "GHSA-c7j7-rmvr-fjmv", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "pendulum-project", "product": "ntpd-rs", "versions": [{"status": "affected", "version": "< 1.7.1"}]}], "references": [{"url": "https://github.com/pendulum-project/ntpd-rs/security/advisories/GHSA-c7j7-rmvr-fjmv", "name": "https://github.com/pendulum-project/ntpd-rs/security/advisories/GHSA-c7j7-rmvr-fjmv", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/pendulum-project/ntpd-rs/commit/fa73af14d17b666b1142b9fee3ba22c18a841d24", "name": "https://github.com/pendulum-project/ntpd-rs/commit/fa73af14d17b666b1142b9fee3ba22c18a841d24", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/pendulum-project/ntpd-rs/releases/tag/v1.7.1", "name": "https://github.com/pendulum-project/ntpd-rs/releases/tag/v1.7.1", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "ntpd-rs is a full-featured implementation of the Network Time Protocol. Prior to 1.7.1, an attacker can remotely induce moderate increases (2-4 times above normal) in cpu usage. When having NTS enabled on an ntpd-rs server, an attacker can create malformed NTS packets that take significantly more effort for the server to respond to by requesting a large number of cookies. This can lead to degraded server performance even when a server could otherwise handle the load. This vulnerability is fixed in 1.7.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-770", "description": "CWE-770: Allocation of Resources Without Limits or Throttling"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-12T21:48:44.651Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26076", "state": "PUBLISHED", "dateUpdated": "2026-02-13T16:00:13.690Z", "dateReserved": "2026-02-10T18:01:31.901Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-12T21:48:44.651Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:tweedegolf:ntpd-rs:*:*:*:*:*:rust:*:*", "matchCriteriaId": "2C768535-5DA1-435E-819F-F942E3D20460", "versionEndExcluding": "1.7.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "ntpd-rs is a full-featured implementation of the Network Time Protocol. Prior to 1.7.1, an attacker can remotely induce moderate increases (2-4 times above normal) in cpu usage. When having NTS enabled on an ntpd-rs server, an attacker can create malformed NTS packets that take significantly more effort for the server to respond to by requesting a large number of cookies. This can lead to degraded server performance even when a server could otherwise handle the load. This vulnerability is fixed in 1.7.1."}, {"lang": "es", "value": "ntpd-rs es una implementaci\u00f3n completa del Protocolo de Tiempo de Red. Antes de la versi\u00f3n 1.7.1, un atacante puede inducir remotamente aumentos moderados (2-4 veces por encima de lo normal) en el uso de la CPU. Cuando NTS est\u00e1 habilitado en un servidor ntpd-rs, un atacante puede crear paquetes NTS malformados que requieren un esfuerzo significativamente mayor para que el servidor responda al solicitar un gran n\u00famero de cookies. Esto puede llevar a una degradaci\u00f3n del rendimiento del servidor incluso cuando un servidor podr\u00eda manejar la carga de otra manera. Esta vulnerabilidad est\u00e1 corregida en la versi\u00f3n 1.7.1."}], "id": "CVE-2026-26076", "lastModified": "2026-02-23T15:51:55.747", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-12T22:16:06.960", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/pendulum-project/ntpd-rs/commit/fa73af14d17b666b1142b9fee3ba22c18a841d24"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/pendulum-project/ntpd-rs/releases/tag/v1.7.1"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/pendulum-project/ntpd-rs/security/advisories/GHSA-c7j7-rmvr-fjmv"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.7.1)"}}], "product": "ntpd-rs", "vendor": "pendulum-project"}], "analysis": {"en": {"generated_at": "2026-04-17T19:56:30.209445+00:00", "value": {"mitigation_remediation": ["Upgrade ntpd-rs to version 1.7.1 or later to remove the resource exhaustion flaw.", "If an immediate upgrade is not possible, disable NTS support on the ntpd\u2011rs server to eliminate the attack vector.", "After applying mitigation, monitor CPU utilization for unusual spikes and restrict NTP traffic with firewall rules as an additional precaution."], "summary": {"action": "Apply Patch", "impact": "Denial of Service via CPU exhaustion"}, "threat_synthesis": {"affected_systems": "The vulnerability affects pendulum-project ntpd-rs implementations before version 1.7.1. Any system running ntpd\u2011rs versions 1.0 through 1.7.0 with NTS enabled is susceptible. Confirm server version and upgrade if needed.", "description_and_impact": "An attacker can send malformed NTS packets to ntpd-rs, triggering a CPU\u2011intensive cookie request loop. This causes moderate CPU load increases, degrading service availability. The flaw is a resource exhaustion vulnerability (CWE\u2011770).", "risk_and_exploitability": "The CVSS score of 6.9 indicates moderate severity. The EPSS score is below 1\u202f%, suggesting low current exploitation probability, and the issue is not listed in the KEV catalog. However, the flaw is exploitable over the network by sending crafted NTS packets to a reachable ntpd\u2011rs instance. The required conditions are that NTS be enabled and the server accepts incoming traffic, making the vulnerability remotely exploitable for disruption."}}}}, "created": "2026-02-13T21:29:18.334217+00:00", "updated": "2026-04-17T20:00:09.038139+00:00", "vendors": ["pendulum-project", "pendulum-project$PRODUCT$ntpd-rs"]}