{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2025-67268", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-01-06T17:40:28.563Z", "dateReserved": "2025-12-08T00:00:00.000Z", "datePublished": "2026-01-02T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-01-02T16:05:18.965Z"}, "descriptions": [{"lang": "en", "value": "gpsd before commit dc966aa contains a heap-based out-of-bounds write vulnerability in the drivers/driver_nmea2000.c file. The hnd_129540 function, which handles NMEA2000 PGN 129540 (GNSS Satellites in View) packets, fails to validate the user-supplied satellite count against the size of the skyview array (184 elements). This allows an attacker to write beyond the bounds of the array by providing a satellite count up to 255, leading to memory corruption, Denial of Service (DoS), and potentially arbitrary code execution."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/ntpsec/gpsd/commit/dc966aa74c075d0a6535811d98628625cbfbe3f4"}, {"url": "https://github.com/ntpsec/gpsd/blob/master/drivers/driver_nmea2000.c"}, {"url": "https://github.com/Jaenact/gspd_cve/blob/main/CVE-2025-67268/README.md"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-122", "lang": "en", "description": "CWE-122 Heap-based Buffer Overflow"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-01-06T16:33:31.263825Z", "id": "CVE-2025-67268", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-06T17:40:28.563Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-67268", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-06T16:33:31.263825Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-122", "description": "CWE-122 Heap-based Buffer Overflow"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-06T16:35:52.232Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/ntpsec/gpsd/commit/dc966aa74c075d0a6535811d98628625cbfbe3f4"}, {"url": "https://github.com/ntpsec/gpsd/blob/master/drivers/driver_nmea2000.c"}, {"url": "https://github.com/Jaenact/gspd_cve/blob/main/CVE-2025-67268/README.md"}], "descriptions": [{"lang": "en", "value": "gpsd before commit dc966aa contains a heap-based out-of-bounds write vulnerability in the drivers/driver_nmea2000.c file. The hnd_129540 function, which handles NMEA2000 PGN 129540 (GNSS Satellites in View) packets, fails to validate the user-supplied satellite count against the size of the skyview array (184 elements). This allows an attacker to write beyond the bounds of the array by providing a satellite count up to 255, leading to memory corruption, Denial of Service (DoS), and potentially arbitrary code execution."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-01-02T16:05:18.965Z"}}}, "cveMetadata": {"cveId": "CVE-2025-67268", "state": "PUBLISHED", "dateUpdated": "2026-01-06T17:40:28.563Z", "dateReserved": "2025-12-08T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-01-02T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "gpsd before commit dc966aa contains a heap-based out-of-bounds write vulnerability in the drivers/driver_nmea2000.c file. The hnd_129540 function, which handles NMEA2000 PGN 129540 (GNSS Satellites in View) packets, fails to validate the user-supplied satellite count against the size of the skyview array (184 elements). This allows an attacker to write beyond the bounds of the array by providing a satellite count up to 255, leading to memory corruption, Denial of Service (DoS), and potentially arbitrary code execution."}], "id": "CVE-2025-67268", "lastModified": "2026-01-06T18:15:43.653", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-01-02T16:17:00.990", "references": [{"source": "[email protected]", "url": "https://github.com/Jaenact/gspd_cve/blob/main/CVE-2025-67268/README.md"}, {"source": "[email protected]", "url": "https://github.com/ntpsec/gpsd/blob/master/drivers/driver_nmea2000.c"}, {"source": "[email protected]", "url": "https://github.com/ntpsec/gpsd/commit/dc966aa74c075d0a6535811d98628625cbfbe3f4"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-122"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "gpsd: gpsd: Arbitrary code execution via heap-based out-of-bounds write in NMEA2000 packet handling", "id": "2426835", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2426835"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-1285", "details": ["A flaw was found in gpsd. The hnd_129540 function, responsible for handling NMEA2000 PGN 129540 (GNSS Satellites in View) packets, fails to properly validate the user-supplied satellite count. A remote attacker can exploit this by sending a specially crafted packet with an excessive satellite count, leading to a heap-based out-of-bounds write. This memory corruption can result in a Denial of Service (DoS) and potentially allow for arbitrary code execution."], "mitigation": {"lang": "en:us", "value": "Risk can be reduced by limiting exposure of gpsd to trusted NMEA2000/CAN bus sources only, ensuring that untrusted or externally reachable interfaces cannot inject crafted Fast Packets. Systems should avoid forwarding NMEA2000 traffic from bridged, virtualized, or containerized environments unless strict validation is in place, and gpsd should be run with least-privilege permissions to minimize the impact of a crash or corrupted state."}, "name": "CVE-2025-67268", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "gpsd", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "gpsd-minimal", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-01-02T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-67268\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-67268\nhttps://github.com/Jaenact/gspd_cve/blob/main/CVE-2025-67268/README.md\nhttps://github.com/ntpsec/gpsd/blob/master/drivers/driver_nmea2000.c\nhttps://github.com/ntpsec/gpsd/commit/dc966aa74c075d0a6535811d98628625cbfbe3f4"], "statement": "This vulnerability is rated Important rather than Moderate because it results in a heap-based out-of-bounds write triggered by untrusted, attacker-controlled input processed in a core parsing path of gpsd. The satellite count field from a PGN 129540 NMEA2000 Fast Packet is used directly as a loop bound without validation, allowing a single malformed packet to deterministically overwrite heap memory beyond the fixed-size skyview array. Unlike logic errors that only cause graceful failures, this condition introduces active memory corruption, which can destabilize the daemon, corrupt adjacent heap objects, and compromise internal session state in ways that are non-recoverable without a restart. The flaw is reachable pre-authentication, requires no brute force or sustained traffic, and can be reliably triggered with minimal attacker effort once CAN bus access is obtained.", "threat_severity": "Important"}