CVE-2026-58250
Received Received - Intake

Denial of Service in NATS Server via Leafnode Handshake

Vulnerability report for CVE-2026-58250, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: GitHub, Inc.

Description

NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.12.8 and 2.11.17, an unauthenticated peer with network access to a leafnode listener with compression enabled could crash the server during the pre-authentication leafnode handshake by sending repeated leafnode INFO protocol messages before authentication and account setup completed. This issue is fixed in versions 2.12.8 and 2.11.17.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-09
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
nats_io nats_server to 2.11.17 (exc)
nats server to 2.12.8 (inc)
nats server to 2.11.17 (inc)
nats server to 2.11.17 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-58250 is a high-severity vulnerability in the NATS Server affecting versions prior to 2.12.8 and 2.11.17. It occurs when an unauthenticated attacker with network access to a leafnode listener that has compression enabled sends repeated INFO protocol messages during the pre-authentication leafnode handshake.

This causes the server to crash due to a nil pointer dereference because certain expected client state variables are not yet set when the second INFO message is processed. The flaw leads to a denial-of-service (DoS) condition by triggering a process panic.

The vulnerability is related to incomplete fixes from previous CVEs and is classified as CWE-476 (NULL pointer dereference). It can be mitigated by disabling leafnode compression until patched versions are deployed.

Impact Analysis

This vulnerability can impact you by causing a denial-of-service (DoS) condition on the NATS Server. An attacker can crash the server remotely without authentication or user interaction by exploiting the flaw during the leafnode handshake.

The server crash results in loss of availability of the messaging system, potentially disrupting communication and services that depend on the NATS Server.

Detection Guidance

This vulnerability can be detected by monitoring network traffic to leafnode listeners of the NATS server for repeated or multiple INFO protocol messages sent before authentication and account setup completes during the leafnode handshake.

Specifically, detection involves identifying an unauthenticated peer sending repeated INFO messages during the pre-authentication leafnode handshake when compression is enabled.

While no explicit commands are provided in the resources, network packet capture tools such as tcpdump or Wireshark can be used to filter and analyze traffic to the leafnode listener port for multiple INFO messages before authentication.

  • Use tcpdump to capture traffic on the leafnode listener port: tcpdump -i <interface> port <leafnode_port> -w capture.pcap
  • Analyze the capture with Wireshark or similar tools to look for repeated INFO protocol messages before authentication completes.

Additionally, reviewing server logs for unexpected panics or crashes during leafnode handshake phases may help detect exploitation attempts.

Mitigation Strategies

Immediate mitigation steps include disabling leafnode compression on the NATS server until the server is upgraded to a patched version.

The vulnerability is fixed in NATS Server versions 2.12.8 and 2.11.17, so upgrading to at least these versions is strongly recommended.

  • Disable leafnode compression in the server configuration to prevent exploitation.
  • Upgrade NATS Server to version 2.12.8 or 2.11.17 or later, which include fixes that reject repeated INFO messages with an authorization violation error instead of crashing.

These steps will prevent unauthenticated attackers from causing a denial-of-service by crashing the server during the leafnode handshake.

Compliance Impact

The vulnerability CVE-2026-58250 causes a denial-of-service (DoS) condition by crashing the NATS server during a pre-authentication leafnode handshake. It impacts availability but does not involve unauthorized data access, data leakage, or modification of data.

Since the vulnerability primarily affects server availability without compromising confidentiality or integrity of data, it does not directly impact compliance with data protection regulations such as GDPR or HIPAA, which focus on protecting personal data privacy and security.

However, prolonged or repeated denial-of-service conditions could indirectly affect compliance by disrupting service availability, which may be a consideration under certain regulatory frameworks that require continuous service or data availability.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-58250. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart