Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-delivered via RTCM3 with no victim auth or interaction (AV:N/PR:N/UI:N), but AC:H because the attacker must control or MITM the correction stream and craft a CRC-valid frame; memory corruption yields full C/I/A impact.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
RTKLIB through 2.4.3 contains an out-of-bounds write vulnerability in decode_type1033 function that fails to clamp length counters to destination buffer size, allowing up to 191-byte overflow into fixed 64-byte descriptor fields. An attacker controlling an NTRIP or serial RTCM3 correction stream can craft a valid CRC-bearing type-1033 message to corrupt adjacent rtcm_t object members, potentially achieving arbitrary code execution or denial of service.
AnalysisAI
Out-of-bounds write in RTKLIB's decode_type1033 function affects all versions through 2.4.3, where unclamped length counters allow up to a 191-byte overflow into fixed 64-byte descriptor fields when parsing an RTCM3 type-1033 message. An attacker who controls an NTRIP or serial RTCM3 correction stream can deliver a CRC-valid crafted message to corrupt adjacent rtcm_t members, potentially achieving arbitrary code execution or denial of service. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the target be actively consuming an attacker-influenced RTCM3 correction stream - either an NTRIP feed the attacker hosts or can man-in-the-middle, or a serial RTCM3 link the attacker can inject into - and that the attacker send a crafted type-1033 message whose CRC is valid (the parser validates CRC, so malformed frames are rejected). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The supplied CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H, score 9.3) rates this critical with network reach, low complexity, no privileges, and high confidentiality/integrity/availability impact, consistent with a memory-corruption-to-RCE primitive. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker stands up a rogue NTRIP caster (or MITMs an existing correction feed) that a target RTK receiver or rtkrcv instance is configured to pull corrections from. They send a CRC-valid RTCM3 type-1033 message with oversized descriptor length fields, overflowing the fixed 64-byte buffers and corrupting adjacent rtcm_t members to crash the process or steer execution. … |
| Remediation | No vendor-released patched version is independently confirmed in the provided data; remediation tracking currently points to the upstream GitHub issue (https://github.com/tomojitakasu/RTKLIB/issues/799) and the VulnCheck advisory (https://www.vulncheck.com/advisories/rtklib-out-of-bounds-write-in-decode-type1033-via-crafted-rtcm3-message), so monitor those for a tagged release and upgrade as soon as a fixed build past 2.4.3 is published. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all production and development systems running RTKLIB 2.4.3 and earlier; audit trust boundaries for RTCM3/NTRIP correction stream sources. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Denial-of-service memory corruption in RTKLIB through version 2.4.3 lets an attacker crash GNSS post-processing applicat
Off-by-one out-of-bounds read in RTKLIB's decode_ssr3 function (src/rtcm3.c:1446) allows unauthenticated remote attacker
Out-of-bounds read in RTKLIB through 2.4.3 exposes users to denial of service and potential memory disclosure when proce
Same weakness CWE-787 – Out-of-bounds Write
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39528
GHSA-5cx9-6hw2-hchv