2426835 – (CVE-2025-67268) CVE-2025-67268 gpsd: gpsd: Arbitrary code execution via heap-based out-of-bounds write in NMEA2000 packet handling

Bug 2426835 (CVE-2025-67268) - CVE-2025-67268 gpsd: gpsd: Arbitrary code execution via heap-based out-of-bounds write in NMEA2000 packet handling

Summary: CVE-2025-67268 gpsd: gpsd: Arbitrary code execution via heap-based out-of-bou...

Keywords:
Status:	NEW
Alias:	CVE-2025-67268
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2426931 2426932 2426933
Blocks:
TreeView+	depends on / blocked

Reported:	2026-01-02 17:02 UTC by OSIDB Bzimport
Modified:	2026-02-02 01:43 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2026:0770	None	None	None	2026-01-19 05:52:38 UTC
Red Hat Product Errata	RHSA-2026:0771	None	None	None	2026-01-19 06:16:26 UTC
Red Hat Product Errata	RHSA-2026:1621	None	None	None	2026-02-02 01:43:45 UTC

Description OSIDB Bzimport 2026-01-02 17:02:18 UTC

gpsd before commit dc966aa contains a heap-based out-of-bounds write vulnerability in the drivers/driver_nmea2000.c file. The hnd_129540 function, which handles NMEA2000 PGN 129540 (GNSS Satellites in View) packets, fails to validate the user-supplied satellite count against the size of the skyview array (184 elements). This allows an attacker to write beyond the bounds of the array by providing a satellite count up to 255, leading to memory corruption, Denial of Service (DoS), and potentially arbitrary code execution.

Comment 3 errata-xmlrpc 2026-01-19 05:52:37 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:0770 https://access.redhat.com/errata/RHSA-2026:0770

Comment 4 errata-xmlrpc 2026-01-19 06:16:25 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:0771 https://access.redhat.com/errata/RHSA-2026:0771

Comment 6 errata-xmlrpc 2026-02-02 01:43:44 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10.0 Extended Update Support

Via RHSA-2026:1621 https://access.redhat.com/errata/RHSA-2026:1621

Note You need to log in before you can comment on or make changes to this bug.