RTI Connext Professional CVE-2026-3894
CRITICALSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:L/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Remote unauthenticated RTPS parsing flaw (AV:N/AC:L/PR:N/UI:N); crash and downstream bus impact justify A:H and Scope:Changed; confidentiality not impacted per vendor VC:N.
Primary rating from Vendor (RTI).
CVSS VectorVendor: RTI
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:L/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
Out-of-bounds Read vulnerability in RTI Connext Professional (Core Libraries) allows Overread Buffers.This issue affects Connext Professional: from 7.4.0 before 7.7.0, from 7.0.0 before 7.3.1.3, from 6.1.0 before 6.1.*, from 6.0.0 before 6.0.*, from 5.3.0 before 5.3.*, from 5.0.0 before 5.2.*.
AnalysisAI
Out-of-bounds read in RTI Connext Professional Core Libraries allows remote unauthenticated attackers to read beyond intended buffer bounds, with the CVSS 4.0 vector (9.2 Critical) indicating high availability impact on both the vulnerable component and downstream systems consuming its data. The flaw affects a wide range of Connext Professional releases used as DDS middleware in defense, autonomous, and industrial deployments. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires network reachability to a Connext participant's RTPS endpoints (typically UDP 7400/7401 discovery and the dynamic per-domain user-traffic ports) running an affected Core Libraries build from the 5.0.x-7.6.x range; no authentication, user interaction, or non-default configuration is needed per the CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | RTI's own CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) describes a remote, unauthenticated, low-complexity bug - the same precondition profile that DDS-style network exposure typically presents - and assigns VA:H/SA:H, implying the over-read reliably crashes the process and propagates that outage to dependent (subsequent) systems on the DDS bus, which is consistent with the safety-critical nature of typical Connext deployments. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with network reachability to a DDS participant sends a crafted RTPS datagram to the Connext discovery or user-traffic port; the Core Libraries parser dereferences past the buffer end while decoding the message, leaking adjacent memory contents into internal processing and reliably crashing the participant process. Because the DDS bus is a shared data plane, the failed participant takes its published topics offline and can cascade outages to subscribers that depend on those topics for safety or control decisions; no public exploit identified at time of analysis. |
| Remediation | Vendor-released patch: upgrade to Connext Professional 7.7.0 on the 7.4+ branch or to 7.3.1.3 on the 7.0-7.3 branch as listed by RTI at https://www.rti.com/vulnerabilities/#cve-2026-3894; the description does not enumerate fixed builds for the 6.1.x, 6.0.x, 5.3.x, 5.2.x, and 5.0.x lines, so consult the vendor advisory for branch-specific patched versions or migration guidance. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all RTI Connext Professional deployments (product versions and network locations); determine exposure to untrusted networks. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Connext Professional
View allRemote heap-based buffer overflow in RTI Connext Professional Core Libraries allows unauthenticated network attackers to
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in RTI Connext Profes
Remote denial of service and partial data exposure in RTI Connext Professional's Web Integration Service results from a
XML External Entity (XXE) injection in RTI Connext Professional's Core Libraries allows remote unauthenticated attackers
XML External Entity (XXE) injection in RTI Connext Professional routing and service components allows remote unauthentic
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in RTI Connext
Network traffic sniffing in RTI Connext Professional 7.2.0-7.3.0 and 7.4.0-7.6.x exposes private personal information to
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in RTI Connext Professional (Routin
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in RTI Connext Professional (Core L
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in RTI Connext Professional (Core L
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in RTI Connext Professional (Routin
In RTI Connext Professional 5.3.1 through 6.1.0 before 6.1.1, a buffer overflow in XML parsing from Routing Service, Rec
Same weakness CWE-125 – Out-of-bounds Read
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today