Skip to main content

Gmt EUVDEUVD-2026-13784

| CVE-2026-33147 HIGH
Stack-based Buffer Overflow (CWE-121)
2026-03-20 GitHub_M
7.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.3 HIGH
AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Mar 20, 2026 - 20:30 euvd
EUVD-2026-13784
Analysis Generated
Mar 20, 2026 - 20:30 vuln.today
CVE Published
Mar 20, 2026 - 20:10 nvd
HIGH 7.3

DescriptionGitHub Advisory

GMT is an open source collection of command-line tools for manipulating geographic and Cartesian data sets. In versions from 6.6.0 and prior, a stack-based buffer overflow vulnerability was identified in the gmt_remote_dataset_id function within src/gmt_remote.c. This issue occurs when a specially crafted long string is passed as a dataset identifier (e.g., via the which module), leading to a crash or potential arbitrary code execution. This issue has been patched via commit 0ad2b49.

AnalysisAI

Stack-based buffer overflow in GMT versions 6.6.0 and earlier allows local attackers to crash the application or execute arbitrary code by supplying an excessively long dataset identifier to vulnerable functions like gmt_remote_dataset_id. The vulnerability affects command-line processing of geographic data and currently lacks a public patch, leaving all affected GMT installations exposed to local exploitation.

Technical ContextAI

GMT (Generic Mapping Tools) is an open source collection of command-line utilities for processing geographic and Cartesian datasets, widely used in geoscience research and mapping applications. The vulnerability is classified under CWE-121 (Stack-based Buffer Overflow) and resides in the gmt_remote_dataset_id function within src/gmt_remote.c. This function improperly handles user-supplied dataset identifiers without adequate bounds checking, allowing an overly long string to overflow the stack buffer. The affected product is identified via CPE as cpe:2.3:a:genericmappingtools:gmt:*:*:*:*:*:*:*:*, indicating the core GMT application. Stack-based buffer overflows are particularly dangerous as they can overwrite return addresses and function pointers, enabling attackers to redirect program execution flow.

RemediationAI

Users should immediately upgrade to a patched version of GMT that includes commit 0ad2b491470df82c9ec1139dcbd70502fa28a082, which addresses the stack-based buffer overflow in the gmt_remote_dataset_id function. The patch details are available at https://github.com/GenericMappingTools/gmt/commit/0ad2b491470df82c9ec1139dcbd70502fa28a082 and the security advisory at https://github.com/GenericMappingTools/gmt/security/advisories/GHSA-fqxx-62x7-9gwg. Until patching is completed, organizations should implement defense-in-depth measures such as restricting the processing of untrusted or external datasets, running GMT tools with minimal privileges in sandboxed environments, and validating dataset identifiers before passing them to GMT functions. Input validation should specifically check for excessively long strings in dataset identifiers to prevent buffer overflow conditions.

Share

EUVD-2026-13784 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy