Source: rtklib Version: 2.4.3+dfsg1-2.1 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerabilities were published for rtklib. CVE-2026-56786[0]: | RTKLIB through 2.4.3 contains an out-of-bounds write vulnerability | in decode_type1033 function that fails to clamp length counters to | destination buffer size, allowing up to 191-byte overflow into fixed | 64-byte descriptor fields. An attacker controlling an NTRIP or | serial RTCM3 correction stream can craft a valid CRC-bearing | type-1033 message to corrupt adjacent rtcm_t object members, | potentially achieving arbitrary code execution or denial of service. CVE-2026-56787[1]: | RTKLIB through 2.4.3 contains an off-by-one out-of-bounds read | vulnerability in the decode_ssr3 function at src/rtcm3.c:1446 that | allows remote attackers to trigger a global buffer overflow via | crafted RTCM3 SSR messages with attacker-controlled signal mode | fields. Remote attackers can exploit this vulnerability by sending | malicious SSR correction streams over NTRIP or serial connections to | cause denial of service or crash RTKLIB rovers and CORS servers. CVE-2026-56788[2]: | RTKLIB through 2.4.3 contains an out-of-bounds read vulnerability in | getcodepri function when processing unrecognized RINEX observation | codes, allowing attackers to trigger denial of service. Crafted | RINEX files with unknown observation types cause negative array | indexing into the codepris table, resulting in reliable crashes and | potential memory disclosure of adjacent global data. CVE-2026-56789[3]: | RTKLIB through 2.4.3 contains a heap buffer overflow vulnerability | in the readrnxobsb function in src/rinex.c that allows attackers to | trigger memory corruption by failing to clamp satellite count values | from RINEX epoch headers. Attackers can craft malicious RINEX files | declaring more than 64 satellites per epoch to cause heap buffer | overflow writes and out-of-bounds stack reads, crashing RTKLIB-based | applications including rnx2rtkp and RTKPOST. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-56786 https://www.cve.org/CVERecord?id=CVE-2026-56786 [1] https://security-tracker.debian.org/tracker/CVE-2026-56787 https://www.cve.org/CVERecord?id=CVE-2026-56787 [2] https://security-tracker.debian.org/tracker/CVE-2026-56788 https://www.cve.org/CVERecord?id=CVE-2026-56788 [3] https://security-tracker.debian.org/tracker/CVE-2026-56789 https://www.cve.org/CVERecord?id=CVE-2026-56789 Regards, Salvatore
