CVE-2026-56786

EUVD-2026-39528

25.06.2026, 19:16

RTKLIB through 2.4.3 contains an out-of-bounds write vulnerability in decode_type1033 function that fails to clamp length counters to destination buffer size, allowing up to 191-byte overflow into fixed 64-byte descriptor fields. An attacker controlling an NTRIP or serial RTCM3 correction stream can craft a valid CRC-bearing type-1033 message to corrupt adjacent rtcm_t object members, potentially achieving arbitrary code execution or denial of service.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	9.8 CRITICAL	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Debian Releases

Debian Product

Codename

rtklib

bookworm	vulnerable
bullseye	vulnerable
forky	vulnerable
sid	vulnerable
trixie	vulnerable

Common Weakness Enumeration

CWE-787 - Out-of-bounds Write
The software writes data past the end, or before the beginning, of the intended buffer.

References

https://github.com/tomojitakasu/RTKLIB/issues/799

https://www.vulncheck.com/advisories/rtklib-out-of-bounds-write-in-decode-type1033-via-crafted-rtcm3-message