Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attacker-supplied file but victim must open it (UI:R); no auth to craft (PR:N); impact is crash only, so C:N/I:N/A:H with unchanged scope.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
RTKLIB through 2.4.3 contains a heap buffer overflow vulnerability in the readrnxobsb function in src/rinex.c that allows attackers to trigger memory corruption by failing to clamp satellite count values from RINEX epoch headers. Attackers can craft malicious RINEX files declaring more than 64 satellites per epoch to cause heap buffer overflow writes and out-of-bounds stack reads, crashing RTKLIB-based applications including rnx2rtkp and RTKPOST.
AnalysisAI
Denial-of-service memory corruption in RTKLIB through version 2.4.3 lets an attacker crash GNSS post-processing applications such as rnx2rtkp and RTKPOST by supplying a malicious RINEX observation file. The readrnxobsb function in src/rinex.c fails to clamp the satellite-count value read from RINEX epoch headers, so a file declaring more than 64 satellites per epoch triggers a heap buffer overflow write and out-of-bounds stack reads. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the victim to open or process an attacker-crafted RINEX observation file (UI:P - passive user interaction is mandatory; this is not a remotely triggerable network service). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are consistent and point to a real but bounded (denial-of-service) risk rather than a critical RCE. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a RINEX observation file whose epoch header declares more than 64 satellites and delivers it to a victim (for example via a shared dataset, email, or a download in an automated processing pipeline). When the victim opens or batch-processes the file with rnx2rtkp or RTKPOST, readrnxobsb overflows the heap buffer and performs out-of-bounds reads, crashing the application. … |
| Remediation | No vendor-released patch version is identified at time of analysis; the upstream reference (https://github.com/tomojitakasu/RTKLIB/issues/796) is an issue report rather than a tagged release or merged fix commit, so monitor that issue and the RTKLIB repository for a patched build and upgrade as soon as one is published. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all RTKLIB deployments running version 2.4.3 or earlier and assess their operational criticality. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Out-of-bounds write in RTKLIB's decode_type1033 function affects all versions through 2.4.3, where unclamped length coun
Off-by-one out-of-bounds read in RTKLIB's decode_ssr3 function (src/rtcm3.c:1446) allows unauthenticated remote attacker
Out-of-bounds read in RTKLIB through 2.4.3 exposes users to denial of service and potential memory disclosure when proce
Same weakness CWE-122 – Heap-based Buffer Overflow
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39531
GHSA-3fqf-8h5x-pq8x