Skip to main content

RTI Connext Professional CVE-2026-3894

CRITICAL
Out-of-bounds Read (CWE-125)
2026-06-17 RTI
9.2
CVSS 4.0 · Vendor: RTI
Share

Severity by source

Vendor (RTI) PRIMARY
9.2 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:L/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
9.3 CRITICAL

Remote unauthenticated RTPS parsing flaw (AV:N/AC:L/PR:N/UI:N); crash and downstream bus impact justify A:H and Scope:Changed; confidentiality not impacted per vendor VC:N.

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:L/SA:H

Primary rating from Vendor (RTI).

CVSS VectorVendor: RTI

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:L/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 17, 2026 - 18:05 vuln.today

DescriptionCVE.org

Out-of-bounds Read vulnerability in RTI Connext Professional (Core Libraries) allows Overread Buffers.This issue affects Connext Professional: from 7.4.0 before 7.7.0, from 7.0.0 before 7.3.1.3, from 6.1.0 before 6.1.*, from 6.0.0 before 6.0.*, from 5.3.0 before 5.3.*, from 5.0.0 before 5.2.*.

AnalysisAI

Out-of-bounds read in RTI Connext Professional Core Libraries allows remote unauthenticated attackers to read beyond intended buffer bounds, with the CVSS 4.0 vector (9.2 Critical) indicating high availability impact on both the vulnerable component and downstream systems consuming its data. The flaw affects a wide range of Connext Professional releases used as DDS middleware in defense, autonomous, and industrial deployments. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify reachable DDS participant
Delivery
Send crafted RTPS datagram
Exploit
Trigger out-of-bounds read in Core Libraries parser
Execution
Leak adjacent memory and crash participant
Impact
Cascade outage across dependent subscribers

Vulnerability AssessmentAI

Exploitation Exploitation requires network reachability to a Connext participant's RTPS endpoints (typically UDP 7400/7401 discovery and the dynamic per-domain user-traffic ports) running an affected Core Libraries build from the 5.0.x-7.6.x range; no authentication, user interaction, or non-default configuration is needed per the CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment RTI's own CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) describes a remote, unauthenticated, low-complexity bug - the same precondition profile that DDS-style network exposure typically presents - and assigns VA:H/SA:H, implying the over-read reliably crashes the process and propagates that outage to dependent (subsequent) systems on the DDS bus, which is consistent with the safety-critical nature of typical Connext deployments. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with network reachability to a DDS participant sends a crafted RTPS datagram to the Connext discovery or user-traffic port; the Core Libraries parser dereferences past the buffer end while decoding the message, leaking adjacent memory contents into internal processing and reliably crashing the participant process. Because the DDS bus is a shared data plane, the failed participant takes its published topics offline and can cascade outages to subscribers that depend on those topics for safety or control decisions; no public exploit identified at time of analysis.
Remediation Vendor-released patch: upgrade to Connext Professional 7.7.0 on the 7.4+ branch or to 7.3.1.3 on the 7.0-7.3 branch as listed by RTI at https://www.rti.com/vulnerabilities/#cve-2026-3894; the description does not enumerate fixed builds for the 6.1.x, 6.0.x, 5.3.x, 5.2.x, and 5.0.x lines, so consult the vendor advisory for branch-specific patched versions or migration guidance. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all RTI Connext Professional deployments (product versions and network locations); determine exposure to untrusted networks. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-2467 CRITICAL
9.2 Jun 17

Remote heap-based buffer overflow in RTI Connext Professional Core Libraries allows unauthenticated network attackers to

CVE-2024-52057 CRITICAL
9.1 Dec 13

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in RTI Connext Profes

CVE-2026-7300 HIGH
8.8 Jun 17

Remote denial of service and partial data exposure in RTI Connext Professional's Web Integration Service results from a

CVE-2025-14543 HIGH
8.8 Apr 30

XML External Entity (XXE) injection in RTI Connext Professional's Core Libraries allows remote unauthenticated attackers

CVE-2026-4374 HIGH
8.8 Apr 01

XML External Entity (XXE) injection in RTI Connext Professional routing and service components allows remote unauthentic

CVE-2024-52058 HIGH
8.6 Dec 13

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in RTI Connext

CVE-2025-10450 HIGH
8.3 Dec 16

Network traffic sniffing in RTI Connext Professional 7.2.0-7.3.0 and 7.4.0-7.6.x exposes private personal information to

CVE-2024-52066 HIGH
8.3 Dec 13

Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in RTI Connext Professional (Routin

CVE-2024-52063 HIGH
8.3 Dec 13

Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in RTI Connext Professional (Core L

CVE-2024-52061 HIGH
8.3 Dec 13

Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in RTI Connext Professional (Core L

CVE-2024-52060 HIGH
8.3 Dec 13

Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in RTI Connext Professional (Routin

CVE-2024-25724 HIGH
7.3 May 21

In RTI Connext Professional 5.3.1 through 6.1.0 before 6.1.1, a buffer overflow in XML parsing from Routing Service, Rec

Share

CVE-2026-3894 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy