Main Vulnerability Database SB20250228129

SB20250228129 - Multiple vulnerabilities in ntpd-rs

Published: February 28, 2025 Updated: April 24, 2026

Security Bulletin ID SB20250228129

Severity

Low

Patch available

YES

Number of vulnerabilities 2

Exploitation vector Remote access

Highest impact Denial of service

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Division by zero (CVE-ID: N/A)

The vulnerability allows a remote user to cause a denial of service.

The vulnerability exists due to division by zero in the NTS client cookie handling logic when calculating the number of new cookies to request from zero-sized cookies. A remote user can send zero-sized cookies to cause a denial of service.

Only configured NTS sources can exploit this issue; unconfigured NTP sources and third parties cannot.

2) Input validation error (CVE-ID: N/A)

The vulnerability allows a remote user to cause a denial of service.

The vulnerability exists due to improper input validation in the NTS client request buffer handling when including oversized cookies in an NTP request. A remote user can send an oversized cookie to cause a denial of service.

The attempted write does not write memory outside the buffer. Only configured NTS sources can exploit this issue; unconfigured NTP sources and third parties cannot.

Remediation

Install update from vendor's website.

References

https://github.com/pendulum-project/ntpd-rs/security/advisories/GHSA-v83q-83hj-rw38