Rtklib
Monthly
Denial-of-service memory corruption in RTKLIB through version 2.4.3 lets an attacker crash GNSS post-processing applications such as rnx2rtkp and RTKPOST by supplying a malicious RINEX observation file. The readrnxobsb function in src/rinex.c fails to clamp the satellite-count value read from RINEX epoch headers, so a file declaring more than 64 satellites per epoch triggers a heap buffer overflow write and out-of-bounds stack reads. Publicly available exploit code exists (VulnCheck/GitHub issue #796); there is no public exploit identified as actively exploited, and the CVSS 4.0 impact is limited to availability (VA:H).
Out-of-bounds read in RTKLIB through 2.4.3 exposes users to denial of service and potential memory disclosure when processing maliciously crafted RINEX observation files. The getcodepri function fails to validate unrecognized observation codes, performing negative array indexing into the codepris table - producing reliable crashes and leaking adjacent global data segments. A publicly available proof-of-concept exists via the upstream GitHub issue tracker; this CVE is not listed in the CISA KEV catalog, and no EPSS data was provided in available intelligence.
Off-by-one out-of-bounds read in RTKLIB's decode_ssr3 function (src/rtcm3.c:1446) allows unauthenticated remote attackers to trigger a global buffer overflow by sending crafted RTCM3 SSR correction messages with attacker-controlled signal mode fields over NTRIP or serial connections. All RTKLIB versions through 2.4.3 are affected, with the primary impact being denial of service or crash of GNSS rovers and CORS server deployments. A publicly available exploit exists per VulnCheck intelligence, though this vulnerability is not confirmed in CISA KEV at time of analysis.
Out-of-bounds write in RTKLIB's decode_type1033 function affects all versions through 2.4.3, where unclamped length counters allow up to a 191-byte overflow into fixed 64-byte descriptor fields when parsing an RTCM3 type-1033 message. An attacker who controls an NTRIP or serial RTCM3 correction stream can deliver a CRC-valid crafted message to corrupt adjacent rtcm_t members, potentially achieving arbitrary code execution or denial of service. Publicly available exploit code exists (reported by VulnCheck), though there is no public exploit identified as actively exploited in CISA KEV.
Denial-of-service memory corruption in RTKLIB through version 2.4.3 lets an attacker crash GNSS post-processing applications such as rnx2rtkp and RTKPOST by supplying a malicious RINEX observation file. The readrnxobsb function in src/rinex.c fails to clamp the satellite-count value read from RINEX epoch headers, so a file declaring more than 64 satellites per epoch triggers a heap buffer overflow write and out-of-bounds stack reads. Publicly available exploit code exists (VulnCheck/GitHub issue #796); there is no public exploit identified as actively exploited, and the CVSS 4.0 impact is limited to availability (VA:H).
Out-of-bounds read in RTKLIB through 2.4.3 exposes users to denial of service and potential memory disclosure when processing maliciously crafted RINEX observation files. The getcodepri function fails to validate unrecognized observation codes, performing negative array indexing into the codepris table - producing reliable crashes and leaking adjacent global data segments. A publicly available proof-of-concept exists via the upstream GitHub issue tracker; this CVE is not listed in the CISA KEV catalog, and no EPSS data was provided in available intelligence.
Off-by-one out-of-bounds read in RTKLIB's decode_ssr3 function (src/rtcm3.c:1446) allows unauthenticated remote attackers to trigger a global buffer overflow by sending crafted RTCM3 SSR correction messages with attacker-controlled signal mode fields over NTRIP or serial connections. All RTKLIB versions through 2.4.3 are affected, with the primary impact being denial of service or crash of GNSS rovers and CORS server deployments. A publicly available exploit exists per VulnCheck intelligence, though this vulnerability is not confirmed in CISA KEV at time of analysis.
Out-of-bounds write in RTKLIB's decode_type1033 function affects all versions through 2.4.3, where unclamped length counters allow up to a 191-byte overflow into fixed 64-byte descriptor fields when parsing an RTCM3 type-1033 message. An attacker who controls an NTRIP or serial RTCM3 correction stream can deliver a CRC-valid crafted message to corrupt adjacent rtcm_t members, potentially achieving arbitrary code execution or denial of service. Publicly available exploit code exists (reported by VulnCheck), though there is no public exploit identified as actively exploited in CISA KEV.