CVE-2026-56786

NameCVE-2026-56786
DescriptionRTKLIB through 2.4.3 contains an out-of-bounds write vulnerability in decode_type1033 function that fails to clamp length counters to destination buffer size, allowing up to 191-byte overflow into fixed 64-byte descriptor fields. An attacker controlling an NTRIP or serial RTCM3 correction stream can craft a valid CRC-bearing type-1033 message to corrupt adjacent rtcm_t object members, potentially achieving arbitrary code execution or denial of service.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1140766

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
rtklib (PTS)bullseye2.4.3+dfsg1-2.1vulnerable
forky, sid, bookworm, trixie2.4.3.b34+dfsg-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
rtklibsource(unstable)(unfixed)1140766

Notes

https://github.com/tomojitakasu/RTKLIB/issues/799
Search for package or bug name: Reporting problems