CVE-2026-56786
CriticalCVSS 9.8Exploitation Probability (EPSS)
Low risk32th percentile — higher than 32% of all known CVEs
Summary
RTKLIB through version 2.4.3 contains an out-of-bounds write vulnerability in the decode_type1033 function that fails to clamp length counters to destination buffer size, allowing up to 191-byte overflow into fixed 64-byte descriptor fields. An attacker controlling an NTRIP or serial RTCM3 correction stream can craft a valid CRC-bearing type-1033 message to corrupt adjacent rtcm_t object members, potentially achieving arbitrary code execution or denial of service.
Risk Assessment
The risk for the organization includes the possibility of remote code execution or service disruption in systems using RTKLIB to process RTCM3 correction streams, which may lead to data integrity compromise or positioning service outages.
Recommendation
It is recommended to immediately update RTKLIB to a version newer than 2.4.3, if available, or apply a patch that limits data length in the decode_type1033 function to the destination buffer size. In the meantime, restrict trust in NTRIP and serial RTCM3 stream sources.
Original NVD description (English source)
RTKLIB through 2.4.3 contains an out-of-bounds write vulnerability in decode_type1033 function that fails to clamp length counters to destination buffer size, allowing up to 191-byte overflow into fixed 64-byte descriptor fields. An attacker controlling an NTRIP or serial RTCM3 correction stream can craft a valid CRC-bearing type-1033 message to corrupt adjacent rtcm_t object members, potentially achieving arbitrary code execution or denial of service.

