CVE-2026-56787
Undergoing Analysis Undergoing Analysis - In Progress
RTKLIB Off-by-One Buffer Overflow in RTCM3 SSR Decoding

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: VulnCheck

Description
RTKLIB through 2.4.3 contains an off-by-one out-of-bounds read vulnerability in the decode_ssr3 function at src/rtcm3.c:1446 that allows remote attackers to trigger a global buffer overflow via crafted RTCM3 SSR messages with attacker-controlled signal mode fields. Remote attackers can exploit this vulnerability by sending malicious SSR correction streams over NTRIP or serial connections to cause denial of service or crash RTKLIB rovers and CORS servers.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-26
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-56787
EUVD
EUVD-2026-39529
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
rtklib rtklib to 2.4.3 (inc)
tomojitakasu rtklib to 2.4.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-193 A product calculates or uses an incorrect maximum or minimum value that is 1 more, or 1 less, than the correct value.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

This vulnerability can be detected by monitoring for crafted RTCM3 SSR messages with attacker-controlled signal mode fields being sent over NTRIP or serial connections to RTKLIB-based systems.

Specifically, detection involves inspecting SSR correction streams for mode values that equal or exceed the constellation's code count, which triggers the off-by-one out-of-bounds read.

Commands to detect such malicious messages could include network traffic capture and analysis tools like tcpdump or Wireshark to filter and examine RTCM3 SSR messages on NTRIP or serial interfaces.

  • Use tcpdump to capture NTRIP traffic: tcpdump -i <interface> port <NTRIP_port> -w capture.pcap
  • Analyze captured packets with Wireshark, filtering for RTCM3 SSR messages and inspecting the signal mode fields for suspicious values.
  • On serial connections, use tools like cat or screen to monitor incoming SSR correction streams and parse messages for mode field anomalies.
Mitigation Strategies

Immediate mitigation steps include restricting or filtering incoming SSR correction streams over NTRIP or serial connections to prevent malicious RTCM3 SSR messages from reaching RTKLIB-based systems.

Applying patches or updates to RTKLIB that fix the off-by-one error in the decode_ssr3 function is critical. The fix involves changing the guard condition to properly validate the mode field.

If patching is not immediately possible, consider disabling or limiting access to vulnerable RTKLIB services or rovers until a fix can be applied.

Executive Summary

This vulnerability exists in RTKLIB through version 2.4.3 and is an off-by-one out-of-bounds read in the decode_ssr3 function located at src/rtcm3.c:1446.

It allows remote attackers to trigger a global buffer overflow by sending specially crafted RTCM3 SSR messages that contain attacker-controlled signal mode fields.

The vulnerability can be exploited remotely via malicious SSR correction streams sent over NTRIP or serial connections.

Impact Analysis

Exploitation of this vulnerability can cause denial of service or crash RTKLIB rovers and CORS servers.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56787. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart