Description
RTKLIB through 2.4.3 contains an out-of-bounds write vulnerability in decode_type1033 function that fails to clamp length counters to destination buffer size, allowing up to 191-byte overflow into fixed 64-byte descriptor fields. An attacker controlling an NTRIP or serial RTCM3 correction stream can craft a valid CRC-bearing type-1033 message to corrupt adjacent rtcm_t object members, potentially achieving arbitrary code execution or denial of service.
Published: 2026-06-25
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

RTKLIB versions up to 2.4.3 contain an out‑of‑bounds write in the decode_type1033 routine because the length counter is not clamped to the buffer size. The flaw allows a crafted type‑1033 RTCM3 message to overflow a 64‑byte descriptor field by up to 191 bytes, corrupting adjacent members of the rtcm_t object. The corrupted data can lead to either arbitrary code execution or to a denial‑of‑service condition.

Affected Systems

The affected product is RTKLIB from tomojitakasu, specifically the 2.4.3 release. No other vendors or versions are reported as vulnerable for this issue.

Risk and Exploitability

The CVSS score of 9.3 classifies the vulnerability as critical, indicating a high likelihood of successful exploitation. Although no EPSS score has been published, the lack of listing in the CISA KEV catalog suggests no publicly known exploits yet, but the remote nature of the attack vector through an NTRIP or serial RTCM3 correction stream means an attacker who can inject crafted data can trigger the overflow. The risk is therefore high both for confidentiality and availability.

Generated by OpenCVE AI on June 25, 2026 at 19:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade RTKLIB to a version that includes the fix (e.g., 2.4.4 or later) once the vendor releases it.
  • If an upgrade is not immediately possible, immediately restrict or disable access to the NTRIP service or serial RTCM3 streams so that only authenticated, trusted sources can send data.
  • Configure firewall or network segmentation to block unauthenticated RTCM3 traffic from reaching the device.
  • If the decode_type1033 functionality is not required for a deployment, consider removing or disabling that message type to eliminate the attack surface.

Generated by OpenCVE AI on June 25, 2026 at 19:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Tomojitakasu
Tomojitakasu rtklib
Vendors & Products Tomojitakasu
Tomojitakasu rtklib

Thu, 25 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 25 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Description RTKLIB through 2.4.3 contains an out-of-bounds write vulnerability in decode_type1033 function that fails to clamp length counters to destination buffer size, allowing up to 191-byte overflow into fixed 64-byte descriptor fields. An attacker controlling an NTRIP or serial RTCM3 correction stream can craft a valid CRC-bearing type-1033 message to corrupt adjacent rtcm_t object members, potentially achieving arbitrary code execution or denial of service.
Title RTKLIB 2.4.3 - Out-of-bounds Write in decode_type1033 via Crafted RTCM3 Message
Weaknesses CWE-787
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}


Subscriptions

Tomojitakasu Rtklib
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-07-14T21:34:27.564Z

Reserved: 2026-06-23T01:24:27.651Z

Link: CVE-2026-56786

cve-icon Vulnrichment

Updated: 2026-06-25T18:41:33.685Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:36:37Z

Weaknesses