Skip to main content

RTI Connext Professional CVE-2026-2467

CRITICAL
Heap-based Buffer Overflow (CWE-122)
2026-06-17 RTI
9.2
CVSS 4.0 · Vendor: RTI
Share

Severity by source

Vendor (RTI) PRIMARY
9.2 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:L/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
9.3 CRITICAL

Network-reachable RTPS parser with no auth or interaction (AV:N/AC:L/PR:N/UI:N); scope changed because the subsequent DDS domain is affected (SA:H), no confidentiality impact, integrity low, availability high.

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:L/SA:H

Primary rating from Vendor (RTI).

CVSS VectorVendor: RTI

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:L/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 17, 2026 - 18:05 vuln.today

DescriptionCVE.org

Heap-based Buffer Overflow vulnerability in RTI Connext Professional (Core Libraries) allows Overflow Variables and Tags.This issue affects Connext Professional: from 7.4.0 before 7.7.0, from 7.0.0 before 7.3.1.3, from 6.1.0 before 6.1.*, from 6.0.0 before 6.0.*, from 5.3.0 before 5.3.*, from 5.0.0 before 5.2.*.

AnalysisAI

Remote heap-based buffer overflow in RTI Connext Professional Core Libraries allows unauthenticated network attackers to corrupt heap memory in the DDS middleware, impacting integrity and availability of both the vulnerable component and downstream subsystems. The flaw spans a wide range of long-supported branches (5.0.x through 7.6.x) and carries a CVSS 4.0 score of 9.2, though no public exploit identified at time of analysis.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify reachable DDS participant on RTPS port
Delivery
Craft malformed RTPS message with oversized variables/tags
Exploit
Send packet to Connext Core Libraries parser
Execution
Trigger heap overflow in deserialization
Persist
Corrupt heap metadata and crash participant
Impact
Cascade availability loss across DDS domain

Vulnerability AssessmentAI

Exploitation The attacker needs network-layer reachability to a Connext participant's RTPS endpoint (typically UDP on the configured DDS discovery and user-traffic ports) and the ability to send a crafted RTPS message containing the malformed variables/tags that trigger the heap overflow; per CVSS 4.0 AV:N/AC:L/PR:N/UI:N no authentication, user interaction, or special attack requirements (AT:N) are needed, so default Connext deployments that expose RTPS on a routable interface are directly exploitable. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals strongly suggest a high-priority issue: CVSS 4.0 vector AV:N/AC:L/AT:N/PR:N/UI:N indicates network-reachable, low-complexity, unauthenticated exploitation with no user interaction, and impact metrics VA:H/SA:H show availability damage extends to a subsequent system - consistent with a participant crash cascading into the broader DDS domain. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with network reachability to a Connext participant - for example, a compromised host on the same operational segment, or an internet-exposed DDS gateway - sends a crafted RTPS message containing oversized variable or tag fields that the Core Libraries deserialize into an undersized heap allocation. The resulting out-of-bounds write corrupts heap metadata, crashing the participant and disrupting the DDS domain's discovery and data flow; given the subsequent-system availability impact (SA:H), a single malformed packet can cascade into broader middleware outage across publishers and subscribers in the domain. …
Remediation Patch available per vendor advisory - upgrade Connext Professional to a fixed release on the relevant branch: 7.7.0 or later for the 7.4.x-7.6.x line, and 7.3.1.3 or later for the 7.0.x-7.3.x line, per the RTI advisory at https://www.rti.com/vulnerabilities/#cve-2026-2467; for the legacy 6.1.x, 6.0.x, 5.3.x, and 5.0.x-5.2.x branches, consult RTI directly since fixed point releases for those long-term-support trains must be confirmed with the vendor and may require a support contract. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Conduct comprehensive audit of all RTI Connext Professional installations across infrastructure using asset inventory and software scanning tools; identify all systems running versions 5.0.x through 7.6.x. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-3894 CRITICAL
9.2 Jun 17

Out-of-bounds read in RTI Connext Professional Core Libraries allows remote unauthenticated attackers to read beyond int

CVE-2024-52057 CRITICAL
9.1 Dec 13

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in RTI Connext Profes

CVE-2026-7300 HIGH
8.8 Jun 17

Remote denial of service and partial data exposure in RTI Connext Professional's Web Integration Service results from a

CVE-2025-14543 HIGH
8.8 Apr 30

XML External Entity (XXE) injection in RTI Connext Professional's Core Libraries allows remote unauthenticated attackers

CVE-2026-4374 HIGH
8.8 Apr 01

XML External Entity (XXE) injection in RTI Connext Professional routing and service components allows remote unauthentic

CVE-2024-52058 HIGH
8.6 Dec 13

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in RTI Connext

CVE-2025-10450 HIGH
8.3 Dec 16

Network traffic sniffing in RTI Connext Professional 7.2.0-7.3.0 and 7.4.0-7.6.x exposes private personal information to

CVE-2024-52066 HIGH
8.3 Dec 13

Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in RTI Connext Professional (Routin

CVE-2024-52063 HIGH
8.3 Dec 13

Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in RTI Connext Professional (Core L

CVE-2024-52061 HIGH
8.3 Dec 13

Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in RTI Connext Professional (Core L

CVE-2024-52060 HIGH
8.3 Dec 13

Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in RTI Connext Professional (Routin

CVE-2024-25724 HIGH
7.3 May 21

In RTI Connext Professional 5.3.1 through 6.1.0 before 6.1.1, a buffer overflow in XML parsing from Routing Service, Rec

Share

CVE-2026-2467 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy