Skip to main content

RTKLIB EUVDEUVD-2026-39529

| CVE-2026-56787 MEDIUM
Off-by-one Error (CWE-193)
2026-06-25 VulnCheck GHSA-8p7j-vhgr-rcw5
6.9
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.2 HIGH

Network-delivered unauthenticated message triggers crash (A:H); OOB read may expose memory (C:L); no integrity impact; scope unchanged to RTKLIB process.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 25, 2026 - 18:57 vuln.today

DescriptionCVE.org

RTKLIB through 2.4.3 contains an off-by-one out-of-bounds read vulnerability in the decode_ssr3 function at src/rtcm3.c:1446 that allows remote attackers to trigger a global buffer overflow via crafted RTCM3 SSR messages with attacker-controlled signal mode fields. Remote attackers can exploit this vulnerability by sending malicious SSR correction streams over NTRIP or serial connections to cause denial of service or crash RTKLIB rovers and CORS servers.

AnalysisAI

Off-by-one out-of-bounds read in RTKLIB's decode_ssr3 function (src/rtcm3.c:1446) allows unauthenticated remote attackers to trigger a global buffer overflow by sending crafted RTCM3 SSR correction messages with attacker-controlled signal mode fields over NTRIP or serial connections. All RTKLIB versions through 2.4.3 are affected, with the primary impact being denial of service or crash of GNSS rovers and CORS server deployments. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Position on NTRIP stream or serial correction link
Delivery
Craft RTCM3 SSR message with malicious signal mode fields
Exploit
Deliver crafted message to target RTKLIB instance
Execution
Trigger off-by-one OOB read in decode_ssr3 at rtcm3.c:1446
Persist
Corrupt global buffer state
Impact
Crash rover or CORS server process

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target RTKLIB instance (version 2.4.3 or earlier) is actively receiving RTCM3 SSR correction messages - either via a live NTRIP connection to a correction service or via a serial data channel carrying RTCM3 streams. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 6.9 with vector AV:N/AC:L/AT:N/PR:N/UI:N reflects low-complexity unauthenticated network exploitation with no preconditions, which accurately characterizes accessibility of the vulnerability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who controls or can inject into an NTRIP correction stream - for example, by operating a malicious caster or performing a man-in-the-middle attack on an unencrypted NTRIP session - sends an SSR message with attacker-crafted signal mode fields to a target RTKLIB rover or CORS server instance. The off-by-one boundary miscalculation in decode_ssr3 triggers an out-of-bounds read that corrupts adjacent global buffer memory, causing the RTKLIB process to crash and terminating GNSS correction services. …
Remediation No vendor-released patched version is independently confirmed at time of analysis - the fix is tracked in the upstream GitHub issue at https://github.com/tomojitakasu/RTKLIB/issues/798 but no tagged release incorporating the correction has been referenced in available intelligence. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-39529 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy