Description
RTKLIB through 2.4.3 contains an off-by-one out-of-bounds read vulnerability in the decode_ssr3 function at src/rtcm3.c:1446 that allows remote attackers to trigger a global buffer overflow via crafted RTCM3 SSR messages with attacker-controlled signal mode fields. Remote attackers can exploit this vulnerability by sending malicious SSR correction streams over NTRIP or serial connections to cause denial of service or crash RTKLIB rovers and CORS servers.
Published: 2026-06-25
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

RTKLIB versions through 2.4.3 are affected by an off‑by‑one out‑of‑bounds read in the decode_ssr3 function, which can trigger a global buffer overflow when an attacker provides carefully crafted RTCM3 SSR messages with controlled signal mode fields. This flaw can cause the RTKLIB rover or CORS server to crash, resulting in loss of availability for the host system or connected users.

Affected Systems

Vendors: tomojitakasu:RTKLIB. Products: RTKLIB 2.4.3 and all earlier releases. The vulnerability is triggered in the source file src/rtcm3.c at line 1446 when processing SSR messages over NTRIP or serial interfaces.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate severity. Because the EPSS score is not available and the vulnerability is not listed in CISA KEV, the documented exploitation likelihood remains uncertain but the ability to remotely supply malicious SSR streams makes the risk material. Attackers can exploit this remotely via NTRIP or serial connections, which are commonly used for real‑time correction streams; thus, the threat is that a remote attacker can cause a denial of service by crashing RTKLIB services.

Generated by OpenCVE AI on June 25, 2026 at 19:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update RTKLIB to a newer release that resolves the decode_ssr3 overflow
  • Restrict NTRIP and serial access to trusted sources or temporarily disable them until a patch is applied
  • Implement firewall or network-level controls to block malicious SSR messages from untrusted origins
  • Monitor system logs for signs of unusual crashes or memory access errors

Generated by OpenCVE AI on June 25, 2026 at 19:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Tomojitakasu
Tomojitakasu rtklib
Vendors & Products Tomojitakasu
Tomojitakasu rtklib

Thu, 25 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 25 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Description RTKLIB through 2.4.3 contains an off-by-one out-of-bounds read vulnerability in the decode_ssr3 function at src/rtcm3.c:1446 that allows remote attackers to trigger a global buffer overflow via crafted RTCM3 SSR messages with attacker-controlled signal mode fields. Remote attackers can exploit this vulnerability by sending malicious SSR correction streams over NTRIP or serial connections to cause denial of service or crash RTKLIB rovers and CORS servers.
Title RTKLIB 2.4.3 - Off-by-One Out-of-Bounds Read in decode_ssr3 via RTCM3 SSR Message
Weaknesses CWE-193
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N'}


Subscriptions

Tomojitakasu Rtklib
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-07-14T21:34:28.258Z

Reserved: 2026-06-23T01:24:27.651Z

Link: CVE-2026-56787

cve-icon Vulnrichment

Updated: 2026-06-25T18:27:20.871Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:36:36Z

Weaknesses