Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Local file processing with mandatory user interaction, no privileges required, low confidentiality from adjacent memory read, low availability from reliable crash, no integrity impact.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
RTKLIB through 2.4.3 contains an out-of-bounds read vulnerability in getcodepri function when processing unrecognized RINEX observation codes, allowing attackers to trigger denial of service. Crafted RINEX files with unknown observation types cause negative array indexing into the codepris table, resulting in reliable crashes and potential memory disclosure of adjacent global data.
AnalysisAI
Out-of-bounds read in RTKLIB through 2.4.3 exposes users to denial of service and potential memory disclosure when processing maliciously crafted RINEX observation files. The getcodepri function fails to validate unrecognized observation codes, performing negative array indexing into the codepris table - producing reliable crashes and leaking adjacent global data segments. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that a user or automated process actively open or pass a crafted RINEX file to an RTKLIB-linked application - confirmed by UI:P in the CVSS 4.0 vector, meaning passive user interaction (e.g., opening a file or triggering a processing pipeline) is mandatory. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 base score of 4.8 reflects a moderate-severity local vulnerability with user interaction required (AV:L/UI:P). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a RINEX observation file containing deliberately unrecognized observation type codes and delivers it to a target environment where RTKLIB processes external RINEX data - such as an RTK positioning service ingesting uploaded survey files or an automated geodetic pipeline. When the file is processed, getcodepri computes a negative array index into codepris, triggering an out-of-bounds read that crashes the application and may disclose adjacent global memory contents to the attacker. … |
| Remediation | No vendor-released patch has been identified at time of analysis - the upstream fix reference points to a GitHub issue (#797) rather than a tagged release, so a released patched version is not independently confirmed. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Out-of-bounds write in RTKLIB's decode_type1033 function affects all versions through 2.4.3, where unclamped length coun
Denial-of-service memory corruption in RTKLIB through version 2.4.3 lets an attacker crash GNSS post-processing applicat
Off-by-one out-of-bounds read in RTKLIB's decode_ssr3 function (src/rtcm3.c:1446) allows unauthenticated remote attacker
Same weakness CWE-125 – Out-of-bounds Read
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39530
GHSA-m65p-fp8q-q43h