Gpsd
CVE-2025-67268
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
gpsd before commit dc966aa contains a heap-based out-of-bounds write vulnerability in the drivers/driver_nmea2000.c file. The hnd_129540 function, which handles NMEA2000 PGN 129540 (GNSS Satellites in View) packets, fails to validate the user-supplied satellite count against the size of the skyview array (184 elements). This allows an attacker to write beyond the bounds of the array by providing a satellite count up to 255, leading to memory corruption, Denial of Service (DoS), and potentially arbitrary code execution.
AnalysisAI
gpsd (before commit dc966aa) has a heap buffer overflow in the NMEA2000 satellite view handler (PGN 129540). A malicious satellite count value overwrites the skyview array, enabling code execution on GPS daemon processes. PoC available, patch available.
Technical ContextAI
The hnd_129540 function processes GNSS Satellites in View packets without validating the satellite count against the skyview array size of 184 elements (CWE-122). A crafted NMEA2000 packet with a count exceeding 184 writes beyond the heap buffer, corrupting adjacent memory and enabling attacker-controlled code execution.
RemediationAI
Update gpsd to include commit dc966aa or later. Isolate NMEA2000 networks from general-purpose networks. Monitor gpsd process for crashes indicating exploitation attempts.
An integer underflow vulnerability exists in the `nextstate()` function in `gpsd/packet.c` of gpsd versions prior to com
An integer underflow vulnerability exists in the NTRIP Stream Parsing functionality of GPSd 3.25.1~dev. Rated high sever
The NMEA0183 driver in gpsd before 3.9 allows remote attackers to cause a denial of service (daemon termination) and pos
Arbitrary shell command execution in gpsd's gpsprof profiling tool (through release-3.27.5) allows an attacker who contr
Same weakness CWE-122 – Heap-based Buffer Overflow
View allSame technique Heap Overflow
View allVendor StatusVendor
SUSE
Severity: Critical| Product | Status |
|---|---|
| openSUSE Tumbleweed | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today