CVE-2026-26076
Awaiting Analysis Awaiting Analysis - Queue
Resource Exhaustion via Malformed NTS Packets in ntpd-rs

Publication date: 2026-02-12

Last updated on: 2026-02-23

Assigner: GitHub, Inc.

Description
ntpd-rs is a full-featured implementation of the Network Time Protocol. Prior to 1.7.1, an attacker can remotely induce moderate increases (2-4 times above normal) in cpu usage. When having NTS enabled on an ntpd-rs server, an attacker can create malformed NTS packets that take significantly more effort for the server to respond to by requesting a large number of cookies. This can lead to degraded server performance even when a server could otherwise handle the load. This vulnerability is fixed in 1.7.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-12
Last Modified
2026-02-23
Generated
2026-06-16
AI Q&A
2026-02-13
EPSS Evaluated
2026-06-14
NVD
CVE-2026-26076
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
tweedegolf ntpd-rs to 1.7.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in ntpd-rs, a full-featured implementation of the Network Time Protocol. Prior to version 1.7.1, an attacker can remotely cause the server's CPU usage to increase moderately (2-4 times above normal). Specifically, when NTS (Network Time Security) is enabled, an attacker can send malformed NTS packets that force the server to expend significantly more effort by requesting a large number of cookies. This results in degraded server performance even if the server could normally handle the load.

Impact Analysis

The vulnerability can lead to degraded performance of the ntpd-rs server by causing increased CPU usage. This means the server may become slower or less responsive, potentially affecting time synchronization services that rely on it. In environments where accurate and timely network time is critical, this degradation could impact dependent systems or applications.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, upgrade the ntpd-rs server to version 1.7.1 or later, where the issue is fixed.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-26076. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart