CVE-2021-41531

7.5 HIGH

NLnet Labs Routinator prior to 0.10.0 produces invalid RTR payload if an RPKI CA uses too large values in the max-length parameter in a ROA

Published: 2021-09-21 · Last updated: 2026-06-17

Severity and scoring

CVSS: 7.5 HIGH
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CWE: CWE-1288, CWE-20

Affected products

Vendor	Product
nlnetlabs	routinator

Description

NLnet Labs Routinator prior to 0.10.0 produces invalid RTR payload if an RPKI CA uses too large values in the max-length parameter in a ROA. This will lead to RTR clients such as routers to reject the RPKI data set, effectively disabling Route Origin Validation.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2021-41531
[Vendor advisory]https://www.nlnetlabs.nl/downloads/routinator/CVE-2021-41531.txt
[Vendor advisory]https://www.nlnetlabs.nl/downloads/routinator/CVE-2021-41531.txt

Related CVEs

Same vendor

CVE-2026-49235 — When Routinator encounters a file via RRDP using a specifically crafted Document Type Definition, Routinator crashes (7.5 HIGH)
CVE-2026-49234 — When sending a specifically crafted non-UTF-8 string as select-asn query parameter to the /api/v1/origins endpoint, Routinator crashes (7.5 HIGH)
CVE-2026-49233 — Routinator does not properly check the module component of rsync URIs, which are used to create the file system paths for the Routinator ... (7.5 HIGH)
CVE-2026-44608 — NLnet Labs Unbound 1.14.0 up to and including version 1.25.0 has a locking inconsistency vulnerability that when certain conditions are m... (5.9 MEDIUM)
CVE-2026-44390 — NLnet Labs Unbound up to and including version 1.25.0 has a vulnerability when handling replies with very large RRsets that Unbound needs... (5.3 MEDIUM)

Same CWE

CVE-2026-12191 — A vulnerability was found in Comma AI Openpilot 0.11 (7.8 HIGH)
CVE-2026-45013 — ApostropheCMS is an open-source Node.js content management system (8.1 HIGH)
CVE-2026-54133 — jmespath.php allows users to use JMESPath, software for declaratively specifying how to extract elements from a JSON document, in PHP app... (9.8 CRITICAL)
CVE-2026-47196 — Quest Bot is an opensource Discord Bot
CVE-2026-50633 — A JNDI Injection vulnerability has been discovered in Apache CXF's JCA integration module, which can allow for code execution, if an atta... (8.1 HIGH)