CVE-2026-56770

libais 0.15 - Out-of-bounds Vector Access in VdmStream::AddLine via Invalid Sequential Message ID

CVSS 8.7 HIGHEPSS 0.3%CWE-129

Vexday Risk Score

41Attention

SSVC decision (CISA)

Attend

PoC available → attend closely

CVSS 8.7EPSS 0.3%KEV nãoPoC públicaNuclei —Metasploit —Patch —

Lifecycle

25 Jun 2026Published on NVD

Recommendation: Plan a near-term fix — a public PoC already exists.

libais through 0.15 VdmStream::AddLine uses an unchecked sentinel value as a vector index when processing AIS sentences with empty or out-of-range sequential message IDs. Remote attackers can crash services or vessel systems by sending crafted AIVDM sentences over VHF marine radio or IP feeds, causing out-of-bounds memory access and potential corruption.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Affected products

schwehr · libais

public PoCs found — 1

cve_referencegithub.com/schwehr/libais/issues/263unverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/schwehr/libais/issues/263 https://www.vulncheck.com/advisories/libais-out-of-bounds-vector-access-in-vdmstream-addline-via-invalid-sequential-message-id