CVE-2026-56788

NameCVE-2026-56788
DescriptionRTKLIB through 2.4.3 contains an out-of-bounds read vulnerability in getcodepri function when processing unrecognized RINEX observation codes, allowing attackers to trigger denial of service. Crafted RINEX files with unknown observation types cause negative array indexing into the codepris table, resulting in reliable crashes and potential memory disclosure of adjacent global data.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1140766

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
rtklib (PTS)bullseye2.4.3+dfsg1-2.1vulnerable
forky, sid, bookworm, trixie2.4.3.b34+dfsg-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
rtklibsource(unstable)(unfixed)1140766

Notes

https://github.com/tomojitakasu/RTKLIB/issues/797
Search for package or bug name: Reporting problems