EUVD-2026-13784CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
Lifecycle Timeline
3Description
GMT is an open source collection of command-line tools for manipulating geographic and Cartesian data sets. In versions from 6.6.0 and prior, a stack-based buffer overflow vulnerability was identified in the gmt_remote_dataset_id function within src/gmt_remote.c. This issue occurs when a specially crafted long string is passed as a dataset identifier (e.g., via the which module), leading to a crash or potential arbitrary code execution. This issue has been patched via commit 0ad2b49.
Analysis
Stack-based buffer overflow in GMT versions 6.6.0 and earlier allows local attackers to crash the application or execute arbitrary code by supplying an excessively long dataset identifier to vulnerable functions like gmt_remote_dataset_id. The vulnerability affects command-line processing of geographic data and currently lacks a public patch, leaving all affected GMT installations exposed to local exploitation.
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all systems running GMT 6.6.0 or earlier and document their criticality and network exposure. Within 7 days: Implement network segmentation to restrict GMT access to trusted internal networks only, disable the 'which' module if operationally feasible, and establish input validation on dataset identifiers where possible. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today