CVE-2026-26076
Published: 12 February 2026
Summary
CVE-2026-26076 is a medium-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Tweedegolf Ntpd-Rs. Its CVSS base score is 6.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 22.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).
Deeper analysis
CVE-2026-26076 affects ntpd-rs, a full-featured implementation of the Network Time Protocol, in versions prior to 1.7.1. The vulnerability allows an attacker to remotely induce moderate increases in CPU usage, approximately 2-4 times above normal levels. Specifically, when Network Time Security (NTS) is enabled on an ntpd-rs server, malformed NTS packets that request a large number of cookies force the server to expend significantly more effort in processing them, leading to degraded performance even under otherwise manageable loads. This issue is classified under CWE-770 (Allocation of Resources Without Limits or Throttling) with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
A remote, unauthenticated attacker can exploit this vulnerability by sending specially crafted NTS packets to the server. No user interaction or privileges are required, making it accessible over the network with low complexity. Successful exploitation results in a denial-of-service condition through elevated CPU consumption, impairing the server's ability to handle legitimate NTP traffic and potentially disrupting time synchronization services.
The vulnerability is addressed in ntpd-rs version 1.7.1, which includes a fix via the commit at https://github.com/pendulum-project/ntpd-rs/commit/fa73af14d17b666b1142b9fee3ba22c18a841d24. Security practitioners should update to this release, available at https://github.com/pendulum-project/ntpd-rs/releases/tag/v1.7.1. Additional details are provided in the GitHub security advisory at https://github.com/pendulum-project/ntpd-rs/security/advisories/GHSA-c7j7-rmvr-fjmv.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-6163
Vulnerability details
ntpd-rs is a full-featured implementation of the Network Time Protocol. Prior to 1.7.1, an attacker can remotely induce moderate increases (2-4 times above normal) in cpu usage. When having NTS enabled on an ntpd-rs server, an attacker can create malformed…
more
NTS packets that take significantly more effort for the server to respond to by requesting a large number of cookies. This can lead to degraded server performance even when a server could otherwise handle the load. This vulnerability is fixed in 1.7.1.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables remote resource exhaustion (CPU) via crafted NTS packets against a public-facing NTP service, directly matching application/system exploitation for endpoint DoS.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-2 mandates timely flaw remediation, directly addressing this CVE by patching ntpd-rs to version 1.7.1 which fixes the malformed NTS packet processing vulnerability.
SC-5 implements denial-of-service protections like rate limiting at system entry points to block excessive malformed NTS cookie requests causing CPU exhaustion.
SC-6 protects resource availability by enforcing CPU resource allocation and throttling mechanisms to mitigate exhaustion from unthrottled NTS packet handling.