Vulnerability Description
ntpd-rs is a full-featured implementation of the Network Time Protocol. Prior to 1.7.1, an attacker can remotely induce moderate increases (2-4 times above normal) in cpu usage. When having NTS enabled on an ntpd-rs server, an attacker can create malformed NTS packets that take significantly more effort for the server to respond to by requesting a large number of cookies. This can lead to degraded server performance even when a server could otherwise handle the load. This vulnerability is fixed in 1.7.1.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Tweedegolf | Ntpd-Rs | < 1.7.1 |
Related Weaknesses (CWE)
References
- https://github.com/pendulum-project/ntpd-rs/commit/fa73af14d17b666b1142b9fee3ba2Patch
- https://github.com/pendulum-project/ntpd-rs/releases/tag/v1.7.1ProductRelease Notes
- https://github.com/pendulum-project/ntpd-rs/security/advisories/GHSA-c7j7-rmvr-fVendor Advisory
FAQ
What is CVE-2026-26076?
CVE-2026-26076 is a vulnerability with a CVSS score of 7.5 (HIGH). ntpd-rs is a full-featured implementation of the Network Time Protocol. Prior to 1.7.1, an attacker can remotely induce moderate increases (2-4 times above normal) in cpu usage. When having NTS enable...
How severe is CVE-2026-26076?
CVE-2026-26076 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-26076?
Check the references section above for vendor advisories and patch information. Affected products include: Tweedegolf Ntpd-Rs.