2426835 – (CVE-2025-67268) CVE-2025-67268 gpsd: gpsd: Arbitrary code execution via heap-based out-of-bounds write in NMEA2000 packet handling

Bug 2426835 (CVE-2025-67268) - CVE-2025-67268 gpsd: gpsd: Arbitrary code execution via heap-based out-of-bounds write in NMEA2000 packet handling

Summary: CVE-2025-67268 gpsd: gpsd: Arbitrary code execution via heap-based out-of-bou...

Keywords:
Status:	NEW
Alias:	CVE-2025-67268
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2426931 2426932 2426933
Blocks:
TreeView+	depends on / blocked

Reported:	2026-01-02 17:02 UTC by OSIDB Bzimport
Modified:	2026-01-06 14:47 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-01-02 17:02:18 UTC

gpsd before commit dc966aa contains a heap-based out-of-bounds write vulnerability in the drivers/driver_nmea2000.c file. The hnd_129540 function, which handles NMEA2000 PGN 129540 (GNSS Satellites in View) packets, fails to validate the user-supplied satellite count against the size of the skyview array (184 elements). This allows an attacker to write beyond the bounds of the array by providing a satellite count up to 255, leading to memory corruption, Denial of Service (DoS), and potentially arbitrary code execution.

Note You need to log in before you can comment on or make changes to this bug.