The vulnerability stems from a dependency on an outdated version of rustls-webpki (CVE-2018-16875 via RUSTSEC-2023-0053) rather than specific functions in ntpd-rs itself. The key issue was in rustls-webpki's certificate path-building logic, which could be exploited to cause excessive CPU usage during NTS key validation(). The ntpd-rs codebase patched this by updating dependencies (rustls-webpki to >=0.101.4) rather than modifying its own functions. No specific vulnerable functions were identified in ntpd-rs' code - the risk existed purely through the vulnerable third-party component's certificate validation routines.