Cyber Resilience

CVE-2026-29785

High

Published: 25 March 2026

Published
25 March 2026
Modified
26 March 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0014 33.9th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-29785 is a high-severity NULL Pointer Dereference (CWE-476) vulnerability in Linuxfoundation Nats-Server. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 33.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-11 (Error Handling) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-29785 is a denial-of-service vulnerability in NATS-Server, a high-performance server for the NATS.io cloud and edge native messaging system. The issue affects versions prior to 2.11.14 and 2.12.5, specifically when the non-default "leafnode" configuration is enabled. It stems from a NULL pointer dereference (CWE-476) that triggers a panic during pre-authentication handling, rated at CVSS 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

An unauthenticated remote attacker who can connect to the leafnode port can exploit this by sending crafted input, provided compression is enabled—which is the default when leafnodes are used. Successful exploitation causes the nats-server process to crash, resulting in a denial of service with high availability impact but no confidentiality or integrity effects.

NATS advisories recommend upgrading to versions 2.11.14 or 2.12.5, which contain the fix via a specific commit. As a workaround, administrators can disable compression on the leafnode port. Details are available in the NATS security advisory, GitHub security advisory GHSA-52jh-2xxh-pwh6, and the patching commit.

EU & UK References

Vulnerability details

NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.14 and 2.12.5, if the nats-server has the "leafnode" configuration enabled (not default), then anyone who can connect can crash the nats-server by…

more

triggering a panic. This happens pre-authentication and requires that compression be enabled (which it is, by default, when leafnodes are used). Versions 2.11.14 and 2.12.5 contain a fix. As a workaround, disable compression on the leafnode port.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Remote unauthenticated NULL dereference on leafnode port (public-facing NATS server) directly enables T1190 for initial exploitation and T1499.004 for resulting application crash/DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-27889Same product: Linuxfoundation Nats-Server
CVE-2026-27571Same product: Linuxfoundation Nats-Server
CVE-2026-33218Same product: Linuxfoundation Nats-Server
CVE-2026-33247Same product: Linuxfoundation Nats-Server
CVE-2026-33217Same product: Linuxfoundation Nats-Server
CVE-2026-33216Same product: Linuxfoundation Nats-Server
CVE-2025-68141Same vendor: Linuxfoundation
CVE-2024-24416Same vendor: Linuxfoundation
CVE-2024-24420Same vendor: Linuxfoundation
CVE-2026-26008Same vendor: Linuxfoundation

Affected Assets

linuxfoundation
nats-server
≤ 2.11.14 · 2.12.0 — 2.12.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely remediation of identified flaws, directly mandating upgrades to NATS-Server versions 2.11.14 or 2.12.5 to eliminate the NULL pointer dereference causing pre-authentication crashes.

prevent

Mandates secure error handling to prevent system crashes from exceptions like the NULL pointer dereference triggered during leafnode pre-authentication processing.

prevent

Requires validation of incoming information to block crafted inputs that exploit the compression-enabled leafnode port and trigger the server panic.

References