Executive Summary

CVE-2026-56786 is an out-of-bounds write vulnerability in RTKLIB version 2.4.3 and earlier, specifically in the decode_type1033 function. The vulnerability occurs because the function fails to properly limit length counters when copying descriptor strings into fixed 64-byte buffers. This allows an attacker to overflow the buffer by up to 191 bytes, corrupting adjacent memory within the rtcm_t object.

An attacker controlling an NTRIP or serial RTCM3 correction stream can send a crafted type-1033 message with a valid CRC that triggers this overflow. The flaw arises because length counters for antenna descriptor, antenna serial, receiver type, receiver version, and receiver serial are not clamped to the buffer size, allowing memory corruption.

This memory corruption can lead to arbitrary code execution or denial of service.

Useful 0 Not Useful 0

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts including arbitrary code execution and denial of service on systems using vulnerable versions of RTKLIB.

• An attacker can corrupt memory adjacent to critical data structures by sending specially crafted RTCM3 correction streams.
• Exploitation does not require authentication, making it easier for attackers to exploit remotely via NTRIP or serial connections.
• Successful exploitation could allow attackers to execute malicious code, disrupt services, or crash affected applications.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for crafted RTCM3 type-1033 messages in NTRIP or serial RTCM3 correction streams that contain length counters exceeding the expected 64-byte buffer limits.

Detection can be enhanced by using runtime sanitizers such as UndefinedBehaviorSanitizer, which has been confirmed to detect the array-bounds violation caused by this vulnerability.

Specifically, you can capture and analyze RTCM3 correction streams for type-1033 messages with unusually large length fields for antenna descriptor, antenna serial, receiver type, receiver version, and receiver serial.

• Use packet capture tools like tcpdump or Wireshark to capture RTCM3 traffic on your network.
• Filter captured traffic for RTCM3 type-1033 messages and inspect the length fields for values exceeding 63 bytes.
• Run RTKLIB binaries under UndefinedBehaviorSanitizer to detect out-of-bounds writes during decoding.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation involves preventing the processing of malicious RTCM3 type-1033 messages with length fields exceeding the buffer size.

The recommended fix is to clamp each descriptor length to a maximum of 63 bytes (MAXANT-1) before copying into the fixed 64-byte buffers.

Additionally, apply the same clamping fix to related decoder functions such as decode_type1007 and decode_type1008.

Until a patched version of RTKLIB is applied, consider filtering or blocking unauthenticated RTCM3/NTRIP correction streams from untrusted sources to reduce exposure.

Useful 0 Not Useful 0