How is CVE-2026-56786 exploited?

Network reachability (required): The attacker must reach the RTKLIB NTRIP or serial RTCM3 intake endpoint over the network; the CVSS vector specifies AV:N, meaning exposure exists across any network path that can deliver a crafted RTCM3 stream to the service. Authentication (not-required): No credentials or account are needed; the CVSS vector specifies PR:N, so any unauthenticated party that can deliver a type-1033 RTCM3 message to the service can trigger the overflow. Victim interaction (not-required): The vulnerability is triggered entirely by the incoming data stream; UI:N means no user action such as clicking a link or opening a file is involved. Attack complexity (info): AC:L indicates the exploit is reliable and condition-free, requiring no race condition, specific memory layout, or environmental precondition beyond network access to the RTCM3 feed endpoint.

What is the impact of CVE-2026-56786?

An attacker writes up to 191 bytes past the end of fixed 64-byte descriptor fields, corrupting adjacent rtcm_t object members in process memory. Corrupted object members enable arbitrary code execution within the context of the RTKLIB process, giving the attacker full control over that process. The RTKLIB process crashes if the memory corruption does not lead to code execution, taking down any GNSS positioning or correction service that depends on it. Confidential data accessible to the RTKLIB process, including positioning state, session tokens, or connected data sinks, is exposed to the attacker (VC:H).

Back to search

CRITICALCVE-2026-56786Published 2026-06-25Modified 2026-06-25CNA VulnCheck

CVE-2026-56786: RTKLIB 2.4.3 - Out-of-bounds Write in decode_type1033 via Crafted RTCM3 Message

RTKLIB through 2.4.3 contains an out-of-bounds write vulnerability in decode_type1033 function that fails to clamp length counters to destination buffer size, allowing up to 191-byte overflow into fixed 64-byte descriptor fields. An attacker controlling an NTRIP or serial RTCM3 correction stream can craft a valid CRC-bearing type-1033 message to corrupt adjacent rtcm_t object members, potentially achieving arbitrary code execution or denial of service.

CVSS v4.0: 9.3
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An out-of-bounds write vulnerability exists in RTKLIB 2.4.3 inside the decode_type1033 function, which processes incoming RTCM3 correction stream messages. The function fails to clamp length counters to the size of fixed 64-byte descriptor fields, allowing a crafted type-1033 message to overflow up to 191 bytes into adjacent memory on the rtcm_t object. An attacker who controls an NTRIP caster or serial RTCM3 feed and can reach the affected service over the network, without any authentication, achieves arbitrary code execution or causes a denial of service. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection of CVE-2026-56786 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle RTKLIB 2.4.3 or earlier. Any image in a connected registry or CI pipeline that contains the affected library version is flagged automatically.

Available

Triage

HarborGuard scores this CVE at 9.3 Critical (CVSS v4.0) and surfaces it at the top of the affected-image queue in each customer environment. Per-environment compliance policy weighting is applied, and the finding is routed to the appropriate team inbox based on each organization's configured ownership rules.

Available

Patch

Because no upstream fix version has been published for CVE-2026-56786, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the upstream maintainer ships a corrected release. For customers who opt into auto-remediation, the rebuild, regression run, and PR against affected workloads will be triggered without manual intervention as soon as a fix version becomes available.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the RTKLIB NTRIP or serial RTCM3 intake endpoint over the network; the CVSS vector specifies AV:N, meaning exposure exists across any network path that can deliver a crafted RTCM3 stream to the service.
AuthenticationNot required
No credentials or account are needed; the CVSS vector specifies PR:N, so any unauthenticated party that can deliver a type-1033 RTCM3 message to the service can trigger the overflow.
Victim interactionNot required
The vulnerability is triggered entirely by the incoming data stream; UI:N means no user action such as clicking a link or opening a file is involved.
Attack complexityDetail
AC:L indicates the exploit is reliable and condition-free, requiring no race condition, specific memory layout, or environmental precondition beyond network access to the RTCM3 feed endpoint.

Blast Radius

An attacker writes up to 191 bytes past the end of fixed 64-byte descriptor fields, corrupting adjacent rtcm_t object members in process memory.
Corrupted object members enable arbitrary code execution within the context of the RTKLIB process, giving the attacker full control over that process.
The RTKLIB process crashes if the memory corruption does not lead to code execution, taking down any GNSS positioning or correction service that depends on it.
Confidential data accessible to the RTKLIB process, including positioning state, session tokens, or connected data sinks, is exposed to the attacker (VC:H).

How HarborGuard Handles This

Available on HarborGuard: this CVE is monitored continuously across every ingest cycle because no upstream patch exists as of publication. For images confirmed to carry RTKLIB 2.4.3 or earlier, HarborGuard surfaces the finding immediately with full CVSS context so teams can apply compensating controls without waiting for an official fix. Recommended compensating controls include isolating NTRIP caster endpoints behind network policy rules that restrict inbound RTCM3 stream sources to known, trusted IP ranges; applying egress filtering on containers running RTKLIB to limit lateral movement if exploitation occurs; and, where operationally feasible, gating RTCM3 stream ingestion behind an authenticating proxy to reduce the unauthenticated attack surface. The moment the upstream maintainer publishes a fix, HarborGuard will ingest the new version and make a patched-image rebuild available. For customers with auto-remediation enabled, this triggers a rebuild, a regression test run, and a PR opened against affected workloads automatically, with a median time from CVE publication to merged patch PR for critical-severity issues of around 90 minutes in those environments.

See how HarborGuard automates this

Affected packages

tomojitakasu / RTKLIB
≤ 2.4.3

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

Metrics

Get notified