NULL pointer dereference in nats-server - #VU135936
Published: June 30, 2026
nats-server
Detailed vulnerability description
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to a null pointer dereference in the leafnode handshake logic when processing repeated leafnode INFO protocol messages before authentication and account setup complete. A remote attacker can send repeated INFO messages to cause a denial of service.
Only leafnode listeners with compression enabled are vulnerable.