CVE-2026-39042
MikroTik · RouterOS
A pre-authentication integer overflow in the unflatten() function of the MikroTik RouterOS libumsg.so library allows remote attackers to cause a denial of service.
Executive summary
A high-severity integer overflow vulnerability in MikroTik RouterOS allows remote, unauthenticated attackers to crash critical system services, leading to a denial of service.
Vulnerability
The vulnerability resides in the nv::message::unflatten() function, which is a core message deserialization routine used across multiple RouterOS services. An attacker can trigger an integer overflow by sending a specially crafted message, resulting in a denial of service condition.
Business impact
The flaw allows for a remote denial of service against core network infrastructure, potentially leading to widespread network outages. With a CVSS score of 7.5, the ability for an unauthenticated attacker to disrupt critical routing services presents a high risk to business continuity and operational availability.
Remediation
Immediate Action: Upgrade MikroTik RouterOS to version 7.21.4 or 7.22.2 immediately to incorporate the necessary security fixes.
Proactive Monitoring: Monitor device uptime and system logs for unexpected reboots or service crashes that might indicate exploitation attempts.
Compensating Controls: Utilize firewall rules to limit management access to known, trusted IP addresses and disable unnecessary services that rely on the affected library.
Exploitation status
Public Exploit Available: Unknown.
Analyst recommendation
Because this vulnerability impacts a core deserialization function, it is highly likely to be targeted by attackers seeking to disrupt network availability. Organizations should apply the specified firmware updates immediately to secure their routing infrastructure against this high-severity denial of service threat.