RTI Connext Professional CVE-2026-2467
CRITICALSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:L/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable RTPS parser with no auth or interaction (AV:N/AC:L/PR:N/UI:N); scope changed because the subsequent DDS domain is affected (SA:H), no confidentiality impact, integrity low, availability high.
Primary rating from Vendor (RTI).
CVSS VectorVendor: RTI
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:L/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
Heap-based Buffer Overflow vulnerability in RTI Connext Professional (Core Libraries) allows Overflow Variables and Tags.This issue affects Connext Professional: from 7.4.0 before 7.7.0, from 7.0.0 before 7.3.1.3, from 6.1.0 before 6.1.*, from 6.0.0 before 6.0.*, from 5.3.0 before 5.3.*, from 5.0.0 before 5.2.*.
AnalysisAI
Remote heap-based buffer overflow in RTI Connext Professional Core Libraries allows unauthenticated network attackers to corrupt heap memory in the DDS middleware, impacting integrity and availability of both the vulnerable component and downstream subsystems. The flaw spans a wide range of long-supported branches (5.0.x through 7.6.x) and carries a CVSS 4.0 score of 9.2, though no public exploit identified at time of analysis.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker needs network-layer reachability to a Connext participant's RTPS endpoint (typically UDP on the configured DDS discovery and user-traffic ports) and the ability to send a crafted RTPS message containing the malformed variables/tags that trigger the heap overflow; per CVSS 4.0 AV:N/AC:L/PR:N/UI:N no authentication, user interaction, or special attack requirements (AT:N) are needed, so default Connext deployments that expose RTPS on a routable interface are directly exploitable. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals strongly suggest a high-priority issue: CVSS 4.0 vector AV:N/AC:L/AT:N/PR:N/UI:N indicates network-reachable, low-complexity, unauthenticated exploitation with no user interaction, and impact metrics VA:H/SA:H show availability damage extends to a subsequent system - consistent with a participant crash cascading into the broader DDS domain. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with network reachability to a Connext participant - for example, a compromised host on the same operational segment, or an internet-exposed DDS gateway - sends a crafted RTPS message containing oversized variable or tag fields that the Core Libraries deserialize into an undersized heap allocation. The resulting out-of-bounds write corrupts heap metadata, crashing the participant and disrupting the DDS domain's discovery and data flow; given the subsequent-system availability impact (SA:H), a single malformed packet can cascade into broader middleware outage across publishers and subscribers in the domain. … |
| Remediation | Patch available per vendor advisory - upgrade Connext Professional to a fixed release on the relevant branch: 7.7.0 or later for the 7.4.x-7.6.x line, and 7.3.1.3 or later for the 7.0.x-7.3.x line, per the RTI advisory at https://www.rti.com/vulnerabilities/#cve-2026-2467; for the legacy 6.1.x, 6.0.x, 5.3.x, and 5.0.x-5.2.x branches, consult RTI directly since fixed point releases for those long-term-support trains must be confirmed with the vendor and may require a support contract. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Conduct comprehensive audit of all RTI Connext Professional installations across infrastructure using asset inventory and software scanning tools; identify all systems running versions 5.0.x through 7.6.x. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Connext Professional
View allOut-of-bounds read in RTI Connext Professional Core Libraries allows remote unauthenticated attackers to read beyond int
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in RTI Connext Profes
Remote denial of service and partial data exposure in RTI Connext Professional's Web Integration Service results from a
XML External Entity (XXE) injection in RTI Connext Professional's Core Libraries allows remote unauthenticated attackers
XML External Entity (XXE) injection in RTI Connext Professional routing and service components allows remote unauthentic
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in RTI Connext
Network traffic sniffing in RTI Connext Professional 7.2.0-7.3.0 and 7.4.0-7.6.x exposes private personal information to
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in RTI Connext Professional (Routin
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in RTI Connext Professional (Core L
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in RTI Connext Professional (Core L
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in RTI Connext Professional (Routin
In RTI Connext Professional 5.3.1 through 6.1.0 before 6.1.1, a buffer overflow in XML parsing from Routing Service, Rec
Same weakness CWE-122 – Heap-based Buffer Overflow
View allSame technique Heap Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today