Skip to main content

RTKLIB CVE-2026-56786

| EUVDEUVD-2026-39528 CRITICAL
Out-of-bounds Write (CWE-787)
2026-06-25 VulnCheck GHSA-5cx9-6hw2-hchv
9.3
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.1 HIGH

Network-delivered via RTCM3 with no victim auth or interaction (AV:N/PR:N/UI:N), but AC:H because the attacker must control or MITM the correction stream and craft a CRC-valid frame; memory corruption yields full C/I/A impact.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 25, 2026 - 18:52 vuln.today

DescriptionCVE.org

RTKLIB through 2.4.3 contains an out-of-bounds write vulnerability in decode_type1033 function that fails to clamp length counters to destination buffer size, allowing up to 191-byte overflow into fixed 64-byte descriptor fields. An attacker controlling an NTRIP or serial RTCM3 correction stream can craft a valid CRC-bearing type-1033 message to corrupt adjacent rtcm_t object members, potentially achieving arbitrary code execution or denial of service.

AnalysisAI

Out-of-bounds write in RTKLIB's decode_type1033 function affects all versions through 2.4.3, where unclamped length counters allow up to a 191-byte overflow into fixed 64-byte descriptor fields when parsing an RTCM3 type-1033 message. An attacker who controls an NTRIP or serial RTCM3 correction stream can deliver a CRC-valid crafted message to corrupt adjacent rtcm_t members, potentially achieving arbitrary code execution or denial of service. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Host rogue NTRIP caster or MITM feed
Delivery
Send CRC-valid type-1033 RTCM3 message
Exploit
Overflow 64-byte descriptor buffers
Execution
Corrupt adjacent rtcm_t members
Impact
Execute code or crash receiver

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target be actively consuming an attacker-influenced RTCM3 correction stream - either an NTRIP feed the attacker hosts or can man-in-the-middle, or a serial RTCM3 link the attacker can inject into - and that the attacker send a crafted type-1033 message whose CRC is valid (the parser validates CRC, so malformed frames are rejected). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The supplied CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H, score 9.3) rates this critical with network reach, low complexity, no privileges, and high confidentiality/integrity/availability impact, consistent with a memory-corruption-to-RCE primitive. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker stands up a rogue NTRIP caster (or MITMs an existing correction feed) that a target RTK receiver or rtkrcv instance is configured to pull corrections from. They send a CRC-valid RTCM3 type-1033 message with oversized descriptor length fields, overflowing the fixed 64-byte buffers and corrupting adjacent rtcm_t members to crash the process or steer execution. …
Remediation No vendor-released patched version is independently confirmed in the provided data; remediation tracking currently points to the upstream GitHub issue (https://github.com/tomojitakasu/RTKLIB/issues/799) and the VulnCheck advisory (https://www.vulncheck.com/advisories/rtklib-out-of-bounds-write-in-decode-type1033-via-crafted-rtcm3-message), so monitor those for a tagged release and upgrade as soon as a fixed build past 2.4.3 is published. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all production and development systems running RTKLIB 2.4.3 and earlier; audit trust boundaries for RTCM3/NTRIP correction stream sources. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-56786 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy