CVE-2026-56789

RTKLIB through 2.4.3 contains a heap buffer overflow vulnerability in the readrnxobsb function in src/rinex.c that allows attackers to trigger memory corruption by failing to clamp satellite count values from RINEX epoch headers. Attackers can craft malicious RINEX files declaring more than 64 satellites per epoch to cause heap buffer overflow writes and out-of-bounds stack reads, crashing RTKLIB-based applications including rnx2rtkp and RTKPOST.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/tomojitakasu/RTKLIB/issues/796	Exploit Issue Tracking Third Party Advisory
https://www.vulncheck.com/advisories/rtklib-heap-buffer-overflow-and-stack-read-via-oversized-rinex-epoch-satellite-count	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:rtklib:rtklib:*:*:*:*:*:*:*:*

History

26 Jun 2026, 16:53

Type	Values Removed	Values Added
References	~~() https://github.com/tomojitakasu/RTKLIB/issues/796 -~~	() https://github.com/tomojitakasu/RTKLIB/issues/796 - Exploit, Issue Tracking, Third Party Advisory
References	~~() https://www.vulncheck.com/advisories/rtklib-heap-buffer-overflow-and-stack-read-via-oversized-rinex-epoch-satellite-count -~~	() https://www.vulncheck.com/advisories/rtklib-heap-buffer-overflow-and-stack-read-via-oversized-rinex-epoch-satellite-count - Third Party Advisory
CPE		cpe:2.3:a:rtklib:rtklib::::::::
First Time		Rtklib rtklib Rtklib

25 Jun 2026, 19:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-06-25 19:16

Updated : 2026-06-26 16:53

NVD link : CVE-2026-56789

Mitre link : CVE-2026-56789

CVE.ORG link : CVE-2026-56789

JSON object : View

Products Affected

rtklib

rtklib

CWE

CWE-122

Heap-based Buffer Overflow

{"id": "CVE-2026-56789", "cveTags": [], "metrics": {"ssvcV203": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "ssvcData": {"id": "CVE-2026-56789", "role": "CISA Coordinator", "options": [{"exploitation": "poc"}, {"automatable": "no"}, {"technicalImpact": "partial"}], "version": "2.0.3", "timestamp": "2026-06-25T18:24:09.198915Z"}}], "cvssMetricV31": [{"type": "Primary", "source": "disclosure@vulncheck.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}], "cvssMetricV40": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7.1, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "affected": [{"source": "disclosure@vulncheck.com", "affectedData": [{"repo": "https://github.com/tomojitakasu/RTKLIB", "vendor": "tomojitakasu", "product": "RTKLIB", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.4.3"}], "defaultStatus": "unaffected"}]}], "published": "2026-06-25T19:16:45.477", "references": [{"url": "https://github.com/tomojitakasu/RTKLIB/issues/796", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "source": "disclosure@vulncheck.com"}, {"url": "https://www.vulncheck.com/advisories/rtklib-heap-buffer-overflow-and-stack-read-via-oversized-rinex-epoch-satellite-count", "tags": ["Third Party Advisory"], "source": "disclosure@vulncheck.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "disclosure@vulncheck.com", "description": [{"lang": "en", "value": "CWE-122"}]}], "descriptions": [{"lang": "en", "value": "RTKLIB through 2.4.3 contains a heap buffer overflow vulnerability in the readrnxobsb function in src/rinex.c that allows attackers to trigger memory corruption by failing to clamp satellite count values from RINEX epoch headers. Attackers can craft malicious RINEX files declaring more than 64 satellites per epoch to cause heap buffer overflow writes and out-of-bounds stack reads, crashing RTKLIB-based applications including rnx2rtkp and RTKPOST."}], "lastModified": "2026-06-26T16:53:38.803", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:rtklib:rtklib:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C6DA91F0-A012-4CAC-8BA9-76C773EFB4E1", "versionEndIncluding": "2.4.3"}], "operator": "OR"}]}], "sourceIdentifier": "disclosure@vulncheck.com"}