Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-delivered unauthenticated message triggers crash (A:H); OOB read may expose memory (C:L); no integrity impact; scope unchanged to RTKLIB process.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
RTKLIB through 2.4.3 contains an off-by-one out-of-bounds read vulnerability in the decode_ssr3 function at src/rtcm3.c:1446 that allows remote attackers to trigger a global buffer overflow via crafted RTCM3 SSR messages with attacker-controlled signal mode fields. Remote attackers can exploit this vulnerability by sending malicious SSR correction streams over NTRIP or serial connections to cause denial of service or crash RTKLIB rovers and CORS servers.
AnalysisAI
Off-by-one out-of-bounds read in RTKLIB's decode_ssr3 function (src/rtcm3.c:1446) allows unauthenticated remote attackers to trigger a global buffer overflow by sending crafted RTCM3 SSR correction messages with attacker-controlled signal mode fields over NTRIP or serial connections. All RTKLIB versions through 2.4.3 are affected, with the primary impact being denial of service or crash of GNSS rovers and CORS server deployments. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the target RTKLIB instance (version 2.4.3 or earlier) is actively receiving RTCM3 SSR correction messages - either via a live NTRIP connection to a correction service or via a serial data channel carrying RTCM3 streams. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 score of 6.9 with vector AV:N/AC:L/AT:N/PR:N/UI:N reflects low-complexity unauthenticated network exploitation with no preconditions, which accurately characterizes accessibility of the vulnerability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who controls or can inject into an NTRIP correction stream - for example, by operating a malicious caster or performing a man-in-the-middle attack on an unencrypted NTRIP session - sends an SSR message with attacker-crafted signal mode fields to a target RTKLIB rover or CORS server instance. The off-by-one boundary miscalculation in decode_ssr3 triggers an out-of-bounds read that corrupts adjacent global buffer memory, causing the RTKLIB process to crash and terminating GNSS correction services. … |
| Remediation | No vendor-released patched version is independently confirmed at time of analysis - the fix is tracked in the upstream GitHub issue at https://github.com/tomojitakasu/RTKLIB/issues/798 but no tagged release incorporating the correction has been referenced in available intelligence. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Out-of-bounds write in RTKLIB's decode_type1033 function affects all versions through 2.4.3, where unclamped length coun
Denial-of-service memory corruption in RTKLIB through version 2.4.3 lets an attacker crash GNSS post-processing applicat
Out-of-bounds read in RTKLIB through 2.4.3 exposes users to denial of service and potential memory disclosure when proce
Same weakness CWE-193 – Off-by-one Error
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39529
GHSA-8p7j-vhgr-rcw5