The CVE number for this vulnerability is CVE-2021-41531. == Summary Routinator prior to 0.10.0 produces invalid RTR payload if an RPKI CA uses too large values in the max-length parameter in a ROA. This will lead to RTR clients such as routers to reject the RPKI data set, effectively disabling Route Origin Validation. == Affected products Routinator up to and including 0.9.0. == Description Due to lack of checking of ROA object content, Routinator will simply pass through any max-length value provided in the ROA. However, a max-length value must never be larger than the maximum prefix length of the address family. Data with larger values will be considered invalid by any RTR client leading to a rejection of the entire data set. == Solution Download Routinator version 0.10.0 or later. == Acknowledgments We would like to thank Job Snijders for reporting the issue.