Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
A flaw has been found in OSGeo gdal up to 3.13.0dev-4. Affected by this vulnerability is the function SWSDfldsrch of the file frmts/hdf4/hdf-eos/SWapi.c. Executing a manipulation can lead to heap-based buffer overflow. The attack requires local access. The exploit has been published and may be used. Upgrading to version 3.13.0RC1 addresses this issue. This patch is called 3e04c0385630e4d42517046d9a4967dfccfeb7fd. The affected component should be upgraded.
AnalysisAI
Heap-based buffer overflow in GDAL's HDF4-EOS SWSDfldsrch function (frmts/hdf4/hdf-eos/SWapi.c) allows local authenticated attackers to cause memory corruption through manipulation of malformed HDF4 files. The vulnerability stems from unsafe string manipulation that fails to validate metadata field list format before stripping quotes, enabling out-of-bounds writes. Affects GDAL up to version 3.13.0dev-4; patch available in version 3.13.0RC1. Publicly available exploit code exists.
Technical ContextAI
The vulnerability exists in the SWSDfldsrch function within GDAL's HDF4-EOS API layer, specifically in quote-stripping logic applied to HDF4 field list metadata. The root cause (CWE-122: Heap-based Buffer Overflow) occurs when the code performs memmove(name, name + 1, strlen(name) - 2) without first validating that the name buffer actually contains quoted strings or that the computed lengths are safe. If EHgetmetavalue returns a malformed or empty string, or a string without proper quotes, the memmove operation writes beyond allocated heap boundaries. The patch adds bounds checking (len >= 2 && name[0] '"' && name[len-1] '"') and validates EHgetmetavalue return status before performing string manipulation. This affects HDF4 file parsing in GDAL's geospatial raster data handling, triggered when opening or reading HDF4 files with crafted metadata.
RemediationAI
Vendor-released patch: Upgrade GDAL to version 3.13.0RC1 or later. The fix commit 3e04c0385630e4d42517046d9a4967dfccfeb7fd adds return-status validation and bounds checking before string manipulation in both SWapi.c and GDapi.c. For installations unable to upgrade immediately, disable HDF4 driver compilation (--without-hdf4 at build time) if HDF4 support is not essential. Alternatively, implement strict file upload validation: reject HDF4 files with malformed metadata or implement sandboxed processing of HDF4 inputs (e.g., containerized GDAL instances with resource limits). Note: Disabling HDF4 support may impact geospatial workflows relying on HDF4 EOS data (MODIS, etc.). Patch validation: confirm 3e04c0385630e4d42517046d9a4967dfccfeb7fd is present in your GDAL build; check GDAL version with gdalinfo --version.
GDAL through 3.0.1 has a poolDestroy double free in OGRExpatRealloc in ogr/ogr_expat.cpp when the 10MB threshold is exce
Buffer Overflow vulnerability in gdal 3.10.2 allows a local attacker to cause a denial of service via the OGRSpatialRefe
A buffer overflow vulnerability in GDAL versions before 3.11.0 within the zlib infback9 module allows remote attackers t
tif_getimage.c in LibTIFF through 4.0.10, as used in GDAL through 3.0.1 and other products, has an integer overflow that
Arbitrary code execution in GDAL 3.1.0 through 3.13.0 is reachable through the netCDF driver, where scanForGeometryConta
Heap-based buffer overflow in OSGeo GDAL's Grid File Handler (GDSDfldsrch function in frmts/hdf4/hdf-eos/GDapi.c) affect
Heap-based buffer overflow in OSGeo GDAL up to version 3.13.0dev-4 allows local authenticated attackers to corrupt memor
Out-of-bounds read in OSGeo GDAL up to version 3.13.0dev-4 occurs in the HDF-EOS Grid File Handler when parsing malforme
Heap-based buffer overflow in OSGeo GDAL up to 3.13.0dev-4 within the SWnentries function of the HDF4-EOS module allows
Out-of-bounds read in OSGeo GDAL up to version 3.13.0dev-4 affects the GDfieldinfo function in HDF-EOS module when proce
Same weakness CWE-122 – Heap-based Buffer Overflow
View allSame technique Heap Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28948
GHSA-r5m4-5vww-w9f5