CVE-2026-29785
Published: 25 March 2026
Summary
CVE-2026-29785 is a high-severity NULL Pointer Dereference (CWE-476) vulnerability in Linuxfoundation Nats-Server. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 32.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-11 (Error Handling) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely remediation of identified flaws, directly mandating upgrades to NATS-Server versions 2.11.14 or 2.12.5 to eliminate the NULL pointer dereference causing pre-authentication crashes.
Mandates secure error handling to prevent system crashes from exceptions like the NULL pointer dereference triggered during leafnode pre-authentication processing.
Requires validation of incoming information to block crafted inputs that exploit the compression-enabled leafnode port and trigger the server panic.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated NULL dereference on leafnode port (public-facing NATS server) directly enables T1190 for initial exploitation and T1499.004 for resulting application crash/DoS.
NVD Description
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.14 and 2.12.5, if the nats-server has the "leafnode" configuration enabled (not default), then anyone who can connect can crash the nats-server by…
more
triggering a panic. This happens pre-authentication and requires that compression be enabled (which it is, by default, when leafnodes are used). Versions 2.11.14 and 2.12.5 contain a fix. As a workaround, disable compression on the leafnode port.
Deeper analysisAI
CVE-2026-29785 is a denial-of-service vulnerability in NATS-Server, a high-performance server for the NATS.io cloud and edge native messaging system. The issue affects versions prior to 2.11.14 and 2.12.5, specifically when the non-default "leafnode" configuration is enabled. It stems from a NULL pointer dereference (CWE-476) that triggers a panic during pre-authentication handling, rated at CVSS 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
An unauthenticated remote attacker who can connect to the leafnode port can exploit this by sending crafted input, provided compression is enabled—which is the default when leafnodes are used. Successful exploitation causes the nats-server process to crash, resulting in a denial of service with high availability impact but no confidentiality or integrity effects.
NATS advisories recommend upgrading to versions 2.11.14 or 2.12.5, which contain the fix via a specific commit. As a workaround, administrators can disable compression on the leafnode port. Details are available in the NATS security advisory, GitHub security advisory GHSA-52jh-2xxh-pwh6, and the patching commit.
Details
- CWE(s)