CVE-2026-56786

RTKLIB 2.4.3 - Out-of-bounds Write in decode_type1033 via Crafted RTCM3 Message

CVSS 9.3 CRITICALEPSS 0.4%CWE-787

Vexday Risk Score

48Attention

SSVC decision (CISA)

Attend

PoC available → attend closely

CVSS 9.3EPSS 0.4%KEV nãoPoC públicaNuclei —Metasploit —Patch —

Lifecycle

25 Jun 2026Published on NVD

Recommendation: Plan a near-term fix — a public PoC already exists.

RTKLIB through 2.4.3 contains an out-of-bounds write vulnerability in decode_type1033 function that fails to clamp length counters to destination buffer size, allowing up to 191-byte overflow into fixed 64-byte descriptor fields. An attacker controlling an NTRIP or serial RTCM3 correction stream can craft a valid CRC-bearing type-1033 message to corrupt adjacent rtcm_t object members, potentially achieving arbitrary code execution or denial of service.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected products

tomojitakasu · RTKLIB

public PoCs found — 1

cve_referencegithub.com/tomojitakasu/RTKLIB/issues/799unverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/tomojitakasu/RTKLIB/issues/799 https://www.vulncheck.com/advisories/rtklib-out-of-bounds-write-in-decode-type1033-via-crafted-rtcm3-message