Skip to main content

Gdal CVE-2026-4738

| EUVD-2026-14706 CRITICAL
Buffer Overflow (CWE-119)
2026-03-24 GovTech CSG GHSA-hp6p-5qh5-w9fj
Buffer Overflow Gdal Suse
9.4
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
9.4 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:A/S:P/AU:Y/R:U/V:C/RE:L/U:Amber
SUSE
CRITICAL
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:A/S:P/AU:Y/R:U/V:C/RE:L/U:Amber
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
P

Lifecycle Timeline

4
EUVD ID Assigned
Mar 24, 2026 - 03:30 euvd
EUVD-2026-14706
Analysis Generated
Mar 24, 2026 - 03:30 vuln.today
Patch released
Mar 24, 2026 - 03:30 nvd
Patch available
CVE Published
Mar 24, 2026 - 03:18 nvd
CRITICAL 9.4

DescriptionCVE.org

Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in OSGeo gdal (frmts/zlib/contrib/infback9 modules). This vulnerability is associated with program files inftree9.C‎.

This issue affects gdal: before 3.11.0.

AnalysisAI

A buffer overflow vulnerability in GDAL versions before 3.11.0 within the zlib infback9 module allows remote attackers to achieve arbitrary code execution or cause denial of service through specially crafted compressed data. The vulnerability requires user interaction to trigger but has a network attack vector with no authentication needed. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft malicious ZLIB-compressed geospatial file
Exploit
Upload to GDAL processing service
Execution
Trigger buffer overflow in inftree9.C parser
Impact
Execute arbitrary code with service privileges
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Requires user interaction to open a crafted file processed by OSGeo GDAL versions before 3.11.0 with zlib/infback9 module enabled. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment While CVSS score and vector data are not provided, the vulnerability's classification as a buffer overflow in a compression library handling untrusted input represents significant real-world risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a malicious geospatial file (such as a specially-formatted GeoTIFF or other compressed format handled by GDAL) containing deliberately malformed zlib-compressed data with invalid Huffman tree structures. When a vulnerable GDAL version processes this file, the inftree9.C decompression routine fails to properly validate buffer boundaries, causing a heap or stack buffer overflow. …
Remediation Upgrade OSGeo GDAL to version 3.11.0 or later to apply the official patch addressing the buffer overflow vulnerability. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify all affected systems and apply vendor patches immediately. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Critical
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Micro 5.2 Fixed
SUSE Linux Enterprise Micro 5.3 Fixed
SUSE Linux Enterprise Micro 5.4 Fixed

Share

CVE-2026-4738 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy