Description
RTKLIB through 2.4.3 contains a heap buffer overflow vulnerability in the readrnxobsb function in src/rinex.c that allows attackers to trigger memory corruption by failing to clamp satellite count values from RINEX epoch headers. Attackers can craft malicious RINEX files declaring more than 64 satellites per epoch to cause heap buffer overflow writes and out-of-bounds stack reads, crashing RTKLIB-based applications including rnx2rtkp and RTKPOST.
Published: 2026-06-25
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability arises when RTKLIB processes RINEX observation files that declare more than 64 satellites in a single epoch. The readrnxobsb function does not clamp the provided count, leading to a heap buffer overflow and an adjacent stack read. An attacker can craft a malicious RINEX file to overwrite memory, leading to a crash or unpredictable behavior. The weakness is a classic heap buffer overflow (CWE‑122) that can result in denial of service.

Affected Systems

The flaw affects the RTKLIB package published by Tomojitakasu, specifically versions up to and including 2.4.3. Applications that use the rnx2rtkp or RTKPOST components are affected.

Risk and Exploitability

The vulnerability carries a CVSS score of 7.1, indicating moderate severity. The EPSS score is currently unavailable, and the flaw is not listed in the CISA KEV catalog. The attack requires access to a RINEX file fed to the vulnerable function, so a local attacker or an attacker able to supply a crafted file to the application can exploit it. The fact that the vulnerability leads to heap corruption makes it potentially exploitable for denial of service, but the lack of an available public exploit reduces the likelihood of widespread exploitation for now.

Generated by OpenCVE AI on June 25, 2026 at 19:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade RTKLIB to version 2.4.4 or newer, where the heap buffer overflow is fixed.
  • If an upgrade is not possible, validate the satellite count in RINEX epoch headers to ensure it does not exceed 64 before calling the read routine, or replace the vulnerable routine with a validated version.
  • Run RTKLIB‑based applications with the least privilege necessary and consider sandboxing them to limit the impact of possible memory corruption.
  • Avoid processing untrusted or externally supplied RINEX files until a patch is applied.

Generated by OpenCVE AI on June 25, 2026 at 19:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Tomojitakasu
Tomojitakasu rtklib
Vendors & Products Tomojitakasu
Tomojitakasu rtklib

Thu, 25 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 25 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Description RTKLIB through 2.4.3 contains a heap buffer overflow vulnerability in the readrnxobsb function in src/rinex.c that allows attackers to trigger memory corruption by failing to clamp satellite count values from RINEX epoch headers. Attackers can craft malicious RINEX files declaring more than 64 satellites per epoch to cause heap buffer overflow writes and out-of-bounds stack reads, crashing RTKLIB-based applications including rnx2rtkp and RTKPOST.
Title RTKLIB 2.4.3 - Heap Buffer Overflow and Stack Read via Oversized RINEX Epoch Satellite Count
Weaknesses CWE-122
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}


Subscriptions

Tomojitakasu Rtklib
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-07-14T21:34:29.663Z

Reserved: 2026-06-23T01:24:27.651Z

Link: CVE-2026-56789

cve-icon Vulnrichment

Updated: 2026-06-25T18:26:06.914Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:36:31Z

Weaknesses
  • CWE-122

    Heap-based Buffer Overflow