Skip to main content

Connext Professional CVE-2026-2394

| EUVDEUVD-2026-17737 MEDIUM
Buffer Over-read (CWE-126)
2026-04-01 RTI GHSA-g9xm-7c5j-7cx6
6.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
6.1.,5.2.,5.3.
EUVD ID Assigned
Apr 01, 2026 - 01:15 euvd
EUVD-2026-17737
Analysis Generated
Apr 01, 2026 - 01:15 vuln.today
CVE Published
Apr 01, 2026 - 00:52 nvd
MEDIUM 6.3

DescriptionCVE.org

Buffer Over-read vulnerability in RTI Connext Professional (Core Libraries) allows Overread Buffers.This issue affects Connext Professional: from 7.4.0 before 7.7.0, from 7.0.0 before 7.3.1.1, from 6.1.0 before 6.1.*, from 6.0.0 before 6.0.*, from 5.3.0 before 5.3.*, from 4.3x before 5.2.*.

AnalysisAI

Buffer over-read vulnerability in RTI Connext Professional Core Libraries allows unauthenticated remote attackers to read beyond allocated buffer boundaries, potentially leaking sensitive data. Affected versions span multiple major release lines: 7.4.0-7.6.x, 7.0.0-7.3.0.x, 6.1.0-6.1.x, 6.0.0-6.0.x, 5.3.0-5.3.x, and 4.3x-5.2.x. The CVSS 6.3 score reflects low confidentiality impact with network-based attack surface; no public exploit has been identified at time of analysis, and this vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.

Technical ContextAI

This vulnerability is rooted in CWE-126 (Buffer Over-read), a memory safety flaw in which the affected Core Libraries component of RTI Connext Professional fails to properly validate buffer boundaries during read operations. The defect affects the messaging middleware framework across multiple architectural revisions. The CVSS 4.0 vector indicates network-accessible attack surface (AV:N) with low attack complexity (AC:L), temporal attacks (AT:P), and unauthenticated access (PR:N), suggesting the vulnerability can be triggered via malformed network packets or specially crafted middleware protocol messages. The confidentiality impact (VC:L) and availability impact (VA:L) indicate an attacker could leak non-critical data or trigger service degradation.

RemediationAI

Apply vendor-released patches immediately: upgrade Connext Professional 7.4.x-7.6.x installations to version 7.7.0 or later, upgrade 7.0.0-7.3.0.x to version 7.3.1.1 or later, and upgrade all versions 6.1.x and earlier to the next available major release per RTI's release roadmap. Organizations unable to upgrade immediately should isolate Connext Professional infrastructure from untrusted networks, restrict inbound network access to known safe peers, and monitor RTI's security advisory page at https://www.rti.com/vulnerabilities/ for additional guidance. Consult RTI support for long-term support (LTS) versions and upgrade timelines specific to your deployment.

CVE-2026-2467 CRITICAL
9.2 Jun 17

Remote heap-based buffer overflow in RTI Connext Professional Core Libraries allows unauthenticated network attackers to

CVE-2026-3894 CRITICAL
9.2 Jun 17

Out-of-bounds read in RTI Connext Professional Core Libraries allows remote unauthenticated attackers to read beyond int

CVE-2024-52057 CRITICAL
9.1 Dec 13

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in RTI Connext Profes

CVE-2026-7300 HIGH
8.8 Jun 17

Remote denial of service and partial data exposure in RTI Connext Professional's Web Integration Service results from a

CVE-2025-14543 HIGH
8.8 Apr 30

XML External Entity (XXE) injection in RTI Connext Professional's Core Libraries allows remote unauthenticated attackers

CVE-2026-4374 HIGH
8.8 Apr 01

XML External Entity (XXE) injection in RTI Connext Professional routing and service components allows remote unauthentic

CVE-2024-52058 HIGH
8.6 Dec 13

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in RTI Connext

CVE-2025-10450 HIGH
8.3 Dec 16

Network traffic sniffing in RTI Connext Professional 7.2.0-7.3.0 and 7.4.0-7.6.x exposes private personal information to

CVE-2024-52066 HIGH
8.3 Dec 13

Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in RTI Connext Professional (Routin

CVE-2024-52063 HIGH
8.3 Dec 13

Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in RTI Connext Professional (Core L

CVE-2024-52061 HIGH
8.3 Dec 13

Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in RTI Connext Professional (Core L

CVE-2024-52060 HIGH
8.3 Dec 13

Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in RTI Connext Professional (Routin

Share

CVE-2026-2394 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy