CVE-2026-56787
Analyzed Analyzed - Analysis Complete

RTKLIB Off-by-One Buffer Overflow in RTCM3 SSR Decoding

Vulnerability report for CVE-2026-56787, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-25

Last updated on: 2026-07-14

Assigner: VulnCheck

Description

RTKLIB through 2.4.3 contains an off-by-one out-of-bounds read vulnerability in the decode_ssr3 function at src/rtcm3.c:1446 that allows remote attackers to trigger a global buffer overflow via crafted RTCM3 SSR messages with attacker-controlled signal mode fields. Remote attackers can exploit this vulnerability by sending malicious SSR correction streams over NTRIP or serial connections to cause denial of service or crash RTKLIB rovers and CORS servers.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-25
Last Modified
2026-07-14
Generated
2026-07-16
AI Q&A
2026-06-25
EPSS Evaluated
2026-07-14
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
rtklib rtklib to 2.4.3 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-193 A product calculates or uses an incorrect maximum or minimum value that is 1 more, or 1 less, than the correct value.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in RTKLIB through version 2.4.3 and is an off-by-one out-of-bounds read in the decode_ssr3 function located at src/rtcm3.c:1446.

It allows remote attackers to trigger a global buffer overflow by sending specially crafted RTCM3 SSR messages that contain attacker-controlled signal mode fields.

The vulnerability can be exploited remotely via malicious SSR correction streams sent over NTRIP or serial connections.

Detection Guidance

This vulnerability can be detected by monitoring for crafted RTCM3 SSR messages with attacker-controlled signal mode fields being sent over NTRIP or serial connections to RTKLIB-based systems.

Specifically, detection involves inspecting SSR correction streams for mode values that equal or exceed the constellation's code count, which triggers the off-by-one out-of-bounds read.

Commands to detect such malicious messages could include network traffic capture and analysis tools like tcpdump or Wireshark to filter and examine RTCM3 SSR messages on NTRIP or serial interfaces.

  • Use tcpdump to capture NTRIP traffic: tcpdump -i <interface> port <NTRIP_port> -w capture.pcap
  • Analyze captured packets with Wireshark, filtering for RTCM3 SSR messages and inspecting the signal mode fields for suspicious values.
  • On serial connections, use tools like cat or screen to monitor incoming SSR correction streams and parse messages for mode field anomalies.
Mitigation Strategies

Immediate mitigation steps include restricting or filtering incoming SSR correction streams over NTRIP or serial connections to prevent malicious RTCM3 SSR messages from reaching RTKLIB-based systems.

Applying patches or updates to RTKLIB that fix the off-by-one error in the decode_ssr3 function is critical. The fix involves changing the guard condition to properly validate the mode field.

If patching is not immediately possible, consider disabling or limiting access to vulnerable RTKLIB services or rovers until a fix can be applied.

Impact Analysis

Exploitation of this vulnerability can cause denial of service or crash RTKLIB rovers and CORS servers.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56787. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart