Cyber Resilience

CVE-2026-26076

Medium

Published: 12 February 2026

Published
12 February 2026
Modified
23 February 2026
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0007 22.5th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-26076 is a medium-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Tweedegolf Ntpd-Rs. Its CVSS base score is 6.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 22.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).

Deeper analysis

CVE-2026-26076 affects ntpd-rs, a full-featured implementation of the Network Time Protocol, in versions prior to 1.7.1. The vulnerability allows an attacker to remotely induce moderate increases in CPU usage, approximately 2-4 times above normal levels. Specifically, when Network Time Security (NTS) is enabled on an ntpd-rs server, malformed NTS packets that request a large number of cookies force the server to expend significantly more effort in processing them, leading to degraded performance even under otherwise manageable loads. This issue is classified under CWE-770 (Allocation of Resources Without Limits or Throttling) with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

A remote, unauthenticated attacker can exploit this vulnerability by sending specially crafted NTS packets to the server. No user interaction or privileges are required, making it accessible over the network with low complexity. Successful exploitation results in a denial-of-service condition through elevated CPU consumption, impairing the server's ability to handle legitimate NTP traffic and potentially disrupting time synchronization services.

The vulnerability is addressed in ntpd-rs version 1.7.1, which includes a fix via the commit at https://github.com/pendulum-project/ntpd-rs/commit/fa73af14d17b666b1142b9fee3ba22c18a841d24. Security practitioners should update to this release, available at https://github.com/pendulum-project/ntpd-rs/releases/tag/v1.7.1. Additional details are provided in the GitHub security advisory at https://github.com/pendulum-project/ntpd-rs/security/advisories/GHSA-c7j7-rmvr-fjmv.

EU & UK References

Vulnerability details

ntpd-rs is a full-featured implementation of the Network Time Protocol. Prior to 1.7.1, an attacker can remotely induce moderate increases (2-4 times above normal) in cpu usage. When having NTS enabled on an ntpd-rs server, an attacker can create malformed…

more

NTS packets that take significantly more effort for the server to respond to by requesting a large number of cookies. This can lead to degraded server performance even when a server could otherwise handle the load. This vulnerability is fixed in 1.7.1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Vulnerability enables remote resource exhaustion (CPU) via crafted NTS packets against a public-facing NTP service, directly matching application/system exploitation for endpoint DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2021-47877Shared CWE-770
CVE-2026-3260Shared CWE-770
CVE-2025-66560Shared CWE-770
CVE-2025-68136Shared CWE-770
CVE-2020-37038Shared CWE-770
CVE-2025-36070Shared CWE-770
CVE-2021-47791Shared CWE-770
CVE-2021-47876Shared CWE-770
CVE-2019-25342Shared CWE-770
CVE-2026-44004Shared CWE-770

Affected Assets

tweedegolf
ntpd-rs
≤ 1.7.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-2 mandates timely flaw remediation, directly addressing this CVE by patching ntpd-rs to version 1.7.1 which fixes the malformed NTS packet processing vulnerability.

prevent

SC-5 implements denial-of-service protections like rate limiting at system entry points to block excessive malformed NTS cookie requests causing CPU exhaustion.

prevent

SC-6 protects resource availability by enforcing CPU resource allocation and throttling mechanisms to mitigate exhaustion from unthrottled NTS packet handling.

References