Severity by source
AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
Lifecycle Timeline
3DescriptionGitHub Advisory
GMT is an open source collection of command-line tools for manipulating geographic and Cartesian data sets. In versions from 6.6.0 and prior, a stack-based buffer overflow vulnerability was identified in the gmt_remote_dataset_id function within src/gmt_remote.c. This issue occurs when a specially crafted long string is passed as a dataset identifier (e.g., via the which module), leading to a crash or potential arbitrary code execution. This issue has been patched via commit 0ad2b49.
Articles & Coverage 1
AnalysisAI
Stack-based buffer overflow in GMT versions 6.6.0 and earlier allows local attackers to crash the application or execute arbitrary code by supplying an excessively long dataset identifier to vulnerable functions like gmt_remote_dataset_id. The vulnerability affects command-line processing of geographic data and currently lacks a public patch, leaving all affected GMT installations exposed to local exploitation.
Technical ContextAI
GMT (Generic Mapping Tools) is an open source collection of command-line utilities for processing geographic and Cartesian datasets, widely used in geoscience research and mapping applications. The vulnerability is classified under CWE-121 (Stack-based Buffer Overflow) and resides in the gmt_remote_dataset_id function within src/gmt_remote.c. This function improperly handles user-supplied dataset identifiers without adequate bounds checking, allowing an overly long string to overflow the stack buffer. The affected product is identified via CPE as cpe:2.3:a:genericmappingtools:gmt:*:*:*:*:*:*:*:*, indicating the core GMT application. Stack-based buffer overflows are particularly dangerous as they can overwrite return addresses and function pointers, enabling attackers to redirect program execution flow.
RemediationAI
Users should immediately upgrade to a patched version of GMT that includes commit 0ad2b491470df82c9ec1139dcbd70502fa28a082, which addresses the stack-based buffer overflow in the gmt_remote_dataset_id function. The patch details are available at https://github.com/GenericMappingTools/gmt/commit/0ad2b491470df82c9ec1139dcbd70502fa28a082 and the security advisory at https://github.com/GenericMappingTools/gmt/security/advisories/GHSA-fqxx-62x7-9gwg. Until patching is completed, organizations should implement defense-in-depth measures such as restricting the processing of untrusted or external datasets, running GMT tools with minimal privileges in sandboxed environments, and validating dataset identifiers before passing them to GMT functions. Input validation should specifically check for excessively long strings in dataset identifiers to prevent buffer overflow conditions.
Same weakness CWE-121 – Stack-based Buffer Overflow
View allSame technique Stack Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-13784