CVE-2026-56789
Undergoing Analysis Undergoing Analysis - In Progress
Heap Buffer Overflow in RTKLIB

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: VulnCheck

Description
RTKLIB through 2.4.3 contains a heap buffer overflow vulnerability in the readrnxobsb function in src/rinex.c that allows attackers to trigger memory corruption by failing to clamp satellite count values from RINEX epoch headers. Attackers can craft malicious RINEX files declaring more than 64 satellites per epoch to cause heap buffer overflow writes and out-of-bounds stack reads, crashing RTKLIB-based applications including rnx2rtkp and RTKPOST.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-26
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-56789
EUVD
EUVD-2026-39531
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
rtklib rtklib to 2.4.3 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-122 A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

This vulnerability is triggered by processing maliciously crafted RINEX files with satellite counts greater than 64 in the epoch header. Detection involves identifying such oversized satellite counts in RINEX observation files before they are processed by RTKLIB-based applications.

Since the vulnerability is triggered by file input rather than network traffic, detection commands should focus on scanning RINEX files for epochs declaring more than 64 satellites.

  • Use a script or command to parse RINEX files and check the satellite count in epoch headers for values exceeding 64.
  • Example command (using grep and awk) to find lines with satellite counts greater than 64 in RINEX files: grep -E '^>.*' file.obs | awk '{if ($3 > 64) print $0}'

Monitoring application crashes or abnormal behavior in RTKLIB tools like rnx2rtkp or RTKPOST when processing RINEX files can also indicate exploitation attempts.

Executive Summary

This vulnerability exists in RTKLIB versions up to 2.4.3 in the readrnxobsb function located in src/rinex.c. It is a heap buffer overflow caused by the failure to properly clamp satellite count values from RINEX epoch headers. Attackers can create malicious RINEX files that declare more than 64 satellites per epoch, which leads to heap buffer overflow writes and out-of-bounds stack reads.

As a result, RTKLIB-based applications such as rnx2rtkp and RTKPOST can crash when processing these crafted files.

Impact Analysis

The primary impact of this vulnerability is that an attacker can cause RTKLIB-based applications to crash by supplying specially crafted RINEX files. This can lead to denial of service conditions where the affected applications become unavailable or unstable.

Mitigation Strategies

Immediate mitigation steps include preventing the processing of malicious RINEX files that declare more than 64 satellites per epoch.

  • Validate and sanitize all RINEX input files before processing to ensure satellite counts do not exceed 64.
  • Avoid using vulnerable versions of RTKLIB (version 2.4.3 and earlier) until patches or updates are available.
  • Monitor RTKLIB-based applications for crashes or unusual behavior that may indicate exploitation.

Applying official patches or upgrading to a fixed version of RTKLIB once released is recommended for long-term mitigation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56789. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart