Impact
The vulnerability lies in libais version 0.15’s VdmStream::AddLine function, which uses an unchecked sentinel value as a vector index when processing AIS sentences with empty or out‑of‑range sequential message IDs. This out‑of‑bounds vector access can corrupt memory or trigger a crash, leading to denial of service on services or vessel systems that rely on AIS data. The weakness is a classic example of CWE‑129.
Affected Systems
The affected product is libais by schwehr, specifically version 0.15 and earlier that has not applied the recent fix. Any system that incorporates this library—such as AIS receivers, maritime navigation software, or monitoring services—could be impacted if they parse AIS messages without validating sequential IDs.
Risk and Exploitability
The CVSS score of 8.7 classifies this issue as high severity. While the EPSS score is not available, the vulnerability can be exploited remotely by an attacker who broadcasts malformed AIVDM sentences over VHF marine radio or IP feeds to the target system. The resulting out‑of‑bounds access can crash the service or corrupt data, potentially leading to system downtime or safety impacts. The vulnerability is not yet listed in CISA’s KEV catalog, but its high severity warrants immediate attention.
OpenCVE Enrichment