CVE-2026-26076

ntpd-rs is a full-featured implementation of the Network Time Protocol. Prior to 1.7.1, an attacker can remotely induce moderate increases (2-4 times above normal) in cpu usage. When having NTS enabled on an ntpd-rs server, an attacker can create malformed NTS packets that take significantly more effort for the server to respond to by requesting a large number of cookies. This can lead to degraded server performance even when a server could otherwise handle the load. This vulnerability is fixed in 1.7.1.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/pendulum-project/ntpd-rs/commit/fa73af14d17b666b1142b9fee3ba22c18a841d24	Patch
https://github.com/pendulum-project/ntpd-rs/releases/tag/v1.7.1	Product Release Notes
https://github.com/pendulum-project/ntpd-rs/security/advisories/GHSA-c7j7-rmvr-fjmv	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:tweedegolf:ntpd-rs:*:*:*:*:*:rust:*:*

History

23 Feb 2026, 15:51

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5
First Time		Tweedegolf ntpd-rs Tweedegolf
Summary		(es) ntpd-rs es una implementación completa del Protocolo de Tiempo de Red. Antes de la versión 1.7.1, un atacante puede inducir remotamente aumentos moderados (2-4 veces por encima de lo normal) en el uso de la CPU. Cuando NTS está habilitado en un servidor ntpd-rs, un atacante puede crear paquetes NTS malformados que requieren un esfuerzo significativamente mayor para que el servidor responda al solicitar un gran número de cookies. Esto puede llevar a una degradación del rendimiento del servidor incluso cuando un servidor podría manejar la carga de otra manera. Esta vulnerabilidad está corregida en la versión 1.7.1.
References	~~() https://github.com/pendulum-project/ntpd-rs/commit/fa73af14d17b666b1142b9fee3ba22c18a841d24 -~~	() https://github.com/pendulum-project/ntpd-rs/commit/fa73af14d17b666b1142b9fee3ba22c18a841d24 - Patch
References	~~() https://github.com/pendulum-project/ntpd-rs/releases/tag/v1.7.1 -~~	() https://github.com/pendulum-project/ntpd-rs/releases/tag/v1.7.1 - Product, Release Notes
References	~~() https://github.com/pendulum-project/ntpd-rs/security/advisories/GHSA-c7j7-rmvr-fjmv -~~	() https://github.com/pendulum-project/ntpd-rs/security/advisories/GHSA-c7j7-rmvr-fjmv - Vendor Advisory
CPE		cpe:2.3:a:tweedegolf:ntpd-rs::::::rust::*

12 Feb 2026, 22:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-12 22:16

Updated : 2026-02-23 15:51

NVD link : CVE-2026-26076

Mitre link : CVE-2026-26076

CVE.ORG link : CVE-2026-26076

JSON object : View

Products Affected

tweedegolf

ntpd-rs

CWE

CWE-770

Allocation of Resources Without Limits or Throttling

7.5 /10