CRITICAL🇵🇱 Wersja polska

CVE-2025-67268

CVSS 9.8v3.1pub. 2026-01-02upd. 2026-06-30

gpsd before commit dc966aa contains a heap-based out-of-bounds write vulnerability in the drivers/driver_nmea2000.c file. The hnd_129540 function, which handles NMEA2000 PGN 129540 (GNSS Satellites in View) packets, fails to validate the user-supplied satellite count against the size of the skyview array (184 elements). This allows an attacker to write beyond the bounds of the array by providing a satellite count up to 255, leading to memory corruption, Denial of Service (DoS), and potentially arbitrary code execution.

🤖 AI Analysis
How it works

The hnd_129540 function in the file drivers/driver_nmea2000.c processes NMEA2000 PGN 129540 packets (GNSS Satellites in View) without validating the number of satellites provided by the user against the size of the skyview array (184 elements). An attacker can provide a satellite count value up to 255, which causes a write outside the array boundaries on the heap. This results in memory corruption that can be exploited to execute arbitrary code or cause a process crash.

Impact

An attacker can cause a crash of the gpsd service (DoS) or potentially execute arbitrary code on the system with the privileges of the gpsd process. Due to the lack of authentication requirements and network attack vector, the threat is particularly serious.

Mitigation & patch

Update gpsd to a version containing commit dc966aa74c075d0a6535811d98628625cbfbe3f4 or later. If updating is not possible, restrict network access to the gpsd service at the firewall level and consider disabling NMEA2000 interface support until the patch is applied.

Who is affected

gpsd (Gpsd Project) in all versions prior to commit dc966aa in the ntpsec/gpsd repository

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Gpsd Project Gpsd

    APP
    Gpsd Project
    < 3.27.1
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCEDoSMemory
CWE
References

Related vulnerabilities

CVE-2025-67269HIGH7.5ten sam produkt

An integer underflow vulnerability exists in the `nextstate()` function in `gpsd/packet.c` of gpsd versions pr...

CVE-2018-17937HIGH8.8ten sam produkt

gpsd versions 2.90 to 3.17 and microjson versions 1.0 to 1.3, an open source project, allow a stack-based buff...

CVE-2023-43628MEDIUM5.9ten sam produkt

An integer underflow vulnerability exists in the NTRIP Stream Parsing functionality of GPSd 3.25.1~dev. A spec...

CVE-2013-2038MEDIUM4.3ten sam produkt

The NMEA0183 driver in gpsd before 3.9 allows remote attackers to cause a denial of service (daemon terminatio...