Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
A vulnerability was identified in OSGeo gdal up to 3.13.0dev-4. This issue affects the function SWnentries of the file frmts/hdf4/hdf-eos/SWapi.c. Such manipulation of the argument DimensionName leads to heap-based buffer overflow. The attack must be carried out locally. The exploit is publicly available and might be used. Upgrading to version 3.12.4RC1 is capable of addressing this issue. The name of the patch is 9491e794f1757f08063ea2f7a274ad2994afa636. It is advisable to upgrade the affected component.
AnalysisAI
Heap-based buffer overflow in OSGeo GDAL up to 3.13.0dev-4 within the SWnentries function of the HDF4-EOS module allows local authenticated attackers to cause memory corruption via crafted DimensionName arguments. The vulnerability requires local access and authenticated privileges but can be exploited with publicly available proof-of-concept code. CVSS score of 1.9 reflects limited confidentiality, integrity, and availability impact despite the buffer overflow nature, indicating the vulnerability has constrained real-world severity despite its technical classification.
Technical ContextAI
The vulnerability exists in the HDF4-EOS (Hierarchical Data Format 4 Earth Observing System) subsystem of GDAL, specifically in the SWapi.c file's SWnentries function. This function processes Scientific Workspace metadata entries, including dimension names. The root cause (CWE-122: Heap-based Buffer Overflow) occurs when the function fails to properly validate or bound-check the DimensionName parameter before using it in string operations. The fix involves correcting an infinite loop condition (while(1) to while(metaptrs[0])) and adding proper bounds checking for quoted versus unquoted string length calculations in the utlstr buffer handling. HDF4 is a legacy scientific data format commonly used in geospatial and climate applications; GDAL is the standard open-source library for reading/writing such formats.
RemediationAI
Vendor-released patch: Upgrade GDAL to version 3.12.4RC1 or later. The upstream fix (commit 9491e794f1757f08063ea2f7a274ad2994afa636, merged via PR#14361) corrects the infinite loop condition and adds proper string length validation. For users unable to immediately upgrade, disable HDF4 format support in GDAL if not required (rebuild with --without-hdf4), or restrict access to HDF4 file processing to trusted data sources only. Since exploitation requires local authenticated access, network-based isolation (e.g., containerization, restricted user shells) provides limited additional benefit but reduces the attack surface from internal users. Testing should verify that legitimate HDF4 files with both quoted and unquoted dimension names are correctly parsed after patching.
GDAL through 3.0.1 has a poolDestroy double free in OGRExpatRealloc in ogr/ogr_expat.cpp when the 10MB threshold is exce
Buffer Overflow vulnerability in gdal 3.10.2 allows a local attacker to cause a denial of service via the OGRSpatialRefe
A buffer overflow vulnerability in GDAL versions before 3.11.0 within the zlib infback9 module allows remote attackers t
tif_getimage.c in LibTIFF through 4.0.10, as used in GDAL through 3.0.1 and other products, has an integer overflow that
Arbitrary code execution in GDAL 3.1.0 through 3.13.0 is reachable through the netCDF driver, where scanForGeometryConta
Heap-based buffer overflow in OSGeo GDAL's Grid File Handler (GDSDfldsrch function in frmts/hdf4/hdf-eos/GDapi.c) affect
Heap-based buffer overflow in GDAL's HDF4-EOS SWSDfldsrch function (frmts/hdf4/hdf-eos/SWapi.c) allows local authenticat
Heap-based buffer overflow in OSGeo GDAL up to version 3.13.0dev-4 allows local authenticated attackers to corrupt memor
Out-of-bounds read in OSGeo GDAL up to version 3.13.0dev-4 occurs in the HDF-EOS Grid File Handler when parsing malforme
Out-of-bounds read in OSGeo GDAL up to version 3.13.0dev-4 affects the GDfieldinfo function in HDF-EOS module when proce
Same weakness CWE-122 – Heap-based Buffer Overflow
View allSame technique Heap Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28418
GHSA-72pg-5w29-wjx6