Skip to main content

Rtklib

4 CVEs product

Monthly

CVE-2026-56789 HIGH POC This Week

Denial-of-service memory corruption in RTKLIB through version 2.4.3 lets an attacker crash GNSS post-processing applications such as rnx2rtkp and RTKPOST by supplying a malicious RINEX observation file. The readrnxobsb function in src/rinex.c fails to clamp the satellite-count value read from RINEX epoch headers, so a file declaring more than 64 satellites per epoch triggers a heap buffer overflow write and out-of-bounds stack reads. Publicly available exploit code exists (VulnCheck/GitHub issue #796); there is no public exploit identified as actively exploited, and the CVSS 4.0 impact is limited to availability (VA:H).

Buffer Overflow Heap Overflow Rtklib
NVD GitHub
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-56788 MEDIUM POC This Month

Out-of-bounds read in RTKLIB through 2.4.3 exposes users to denial of service and potential memory disclosure when processing maliciously crafted RINEX observation files. The getcodepri function fails to validate unrecognized observation codes, performing negative array indexing into the codepris table - producing reliable crashes and leaking adjacent global data segments. A publicly available proof-of-concept exists via the upstream GitHub issue tracker; this CVE is not listed in the CISA KEV catalog, and no EPSS data was provided in available intelligence.

Buffer Overflow Denial Of Service Information Disclosure Rtklib
NVD GitHub
CVSS 4.0
4.8
EPSS
0.1%
CVE-2026-56787 MEDIUM POC This Month

Off-by-one out-of-bounds read in RTKLIB's decode_ssr3 function (src/rtcm3.c:1446) allows unauthenticated remote attackers to trigger a global buffer overflow by sending crafted RTCM3 SSR correction messages with attacker-controlled signal mode fields over NTRIP or serial connections. All RTKLIB versions through 2.4.3 are affected, with the primary impact being denial of service or crash of GNSS rovers and CORS server deployments. A publicly available exploit exists per VulnCheck intelligence, though this vulnerability is not confirmed in CISA KEV at time of analysis.

Buffer Overflow Denial Of Service Rtklib
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.3%
CVE-2026-56786 CRITICAL POC Act Now

Out-of-bounds write in RTKLIB's decode_type1033 function affects all versions through 2.4.3, where unclamped length counters allow up to a 191-byte overflow into fixed 64-byte descriptor fields when parsing an RTCM3 type-1033 message. An attacker who controls an NTRIP or serial RTCM3 correction stream can deliver a CRC-valid crafted message to corrupt adjacent rtcm_t members, potentially achieving arbitrary code execution or denial of service. Publicly available exploit code exists (reported by VulnCheck), though there is no public exploit identified as actively exploited in CISA KEV.

RCE Buffer Overflow Denial Of Service Memory Corruption Rtklib
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.4%
EPSS 0% CVSS 7.1
HIGH POC This Week

Denial-of-service memory corruption in RTKLIB through version 2.4.3 lets an attacker crash GNSS post-processing applications such as rnx2rtkp and RTKPOST by supplying a malicious RINEX observation file. The readrnxobsb function in src/rinex.c fails to clamp the satellite-count value read from RINEX epoch headers, so a file declaring more than 64 satellites per epoch triggers a heap buffer overflow write and out-of-bounds stack reads. Publicly available exploit code exists (VulnCheck/GitHub issue #796); there is no public exploit identified as actively exploited, and the CVSS 4.0 impact is limited to availability (VA:H).

Buffer Overflow Heap Overflow Rtklib
NVD GitHub
EPSS 0% CVSS 4.8
MEDIUM POC This Month

Out-of-bounds read in RTKLIB through 2.4.3 exposes users to denial of service and potential memory disclosure when processing maliciously crafted RINEX observation files. The getcodepri function fails to validate unrecognized observation codes, performing negative array indexing into the codepris table - producing reliable crashes and leaking adjacent global data segments. A publicly available proof-of-concept exists via the upstream GitHub issue tracker; this CVE is not listed in the CISA KEV catalog, and no EPSS data was provided in available intelligence.

Buffer Overflow Denial Of Service Information Disclosure +1
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM POC This Month

Off-by-one out-of-bounds read in RTKLIB's decode_ssr3 function (src/rtcm3.c:1446) allows unauthenticated remote attackers to trigger a global buffer overflow by sending crafted RTCM3 SSR correction messages with attacker-controlled signal mode fields over NTRIP or serial connections. All RTKLIB versions through 2.4.3 are affected, with the primary impact being denial of service or crash of GNSS rovers and CORS server deployments. A publicly available exploit exists per VulnCheck intelligence, though this vulnerability is not confirmed in CISA KEV at time of analysis.

Buffer Overflow Denial Of Service Rtklib
NVD GitHub VulDB
EPSS 0% CVSS 9.3
CRITICAL POC Act Now

Out-of-bounds write in RTKLIB's decode_type1033 function affects all versions through 2.4.3, where unclamped length counters allow up to a 191-byte overflow into fixed 64-byte descriptor fields when parsing an RTCM3 type-1033 message. An attacker who controls an NTRIP or serial RTCM3 correction stream can deliver a CRC-valid crafted message to corrupt adjacent rtcm_t members, potentially achieving arbitrary code execution or denial of service. Publicly available exploit code exists (reported by VulnCheck), though there is no public exploit identified as actively exploited in CISA KEV.

RCE Buffer Overflow Denial Of Service +2
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy