Impact
RTKLIB versions up to 2.4.3 contain an out‑of‑bounds write in the decode_type1033 routine because the length counter is not clamped to the buffer size. The flaw allows a crafted type‑1033 RTCM3 message to overflow a 64‑byte descriptor field by up to 191 bytes, corrupting adjacent members of the rtcm_t object. The corrupted data can lead to either arbitrary code execution or to a denial‑of‑service condition.
Affected Systems
The affected product is RTKLIB from tomojitakasu, specifically the 2.4.3 release. No other vendors or versions are reported as vulnerable for this issue.
Risk and Exploitability
The CVSS score of 9.3 classifies the vulnerability as critical, indicating a high likelihood of successful exploitation. Although no EPSS score has been published, the lack of listing in the CISA KEV catalog suggests no publicly known exploits yet, but the remote nature of the attack vector through an NTRIP or serial RTCM3 correction stream means an attacker who can inject crafted data can trigger the overflow. The risk is therefore high both for confidentiality and availability.
OpenCVE Enrichment