CVE Catalog

CVE-2025-67268

CriticalCVSS 9.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.67%

48th percentile - higher than 48% of all known CVEs

Summary

In gpsd before commit dc966aa, a heap-based out-of-bounds write vulnerability exists in the drivers/driver_nmea2000.c file. The hnd_129540 function, handling NMEA2000 PGN 129540 packets, fails to validate the user-supplied satellite count against the skyview array size (184 elements). This allows an attacker to write beyond the array bounds by providing a satellite count up to 255, leading to memory corruption, Denial of Service (DoS), and potentially arbitrary code execution.

Risk Assessment

The risk for the organization includes potential remote code execution by an attacker, which could lead to system compromise, as well as Denial of Service (DoS) of the GPS service, critical for navigation and location systems.

Recommendation

It is recommended to immediately update gpsd to a version containing commit dc966aa or later. If an update is not possible, restrict access to the gpsd service to trusted sources only.

Original NVD description (English source)

gpsd before commit dc966aa contains a heap-based out-of-bounds write vulnerability in the drivers/driver_nmea2000.c file. The hnd_129540 function, which handles NMEA2000 PGN 129540 (GNSS Satellites in View) packets, fails to validate the user-supplied satellite count against the size of the skyview array (184 elements). This allows an attacker to write beyond the bounds of the array by providing a satellite count up to 255, leading to memory corruption, Denial of Service (DoS), and potentially arbitrary code execution.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS