CVE-2025-67268
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-02

Last updated on: 2026-01-12

Assigner: MITRE

Description
gpsd before commit dc966aa contains a heap-based out-of-bounds write vulnerability in the drivers/driver_nmea2000.c file. The hnd_129540 function, which handles NMEA2000 PGN 129540 (GNSS Satellites in View) packets, fails to validate the user-supplied satellite count against the size of the skyview array (184 elements). This allows an attacker to write beyond the bounds of the array by providing a satellite count up to 255, leading to memory corruption, Denial of Service (DoS), and potentially arbitrary code execution.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-02
Last Modified
2026-01-12
Generated
2026-06-16
AI Q&A
2026-01-02
EPSS Evaluated
2026-06-15
NVD
CVE-2025-67268
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
gpsd_project gpsd to 3.27.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-122 A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a heap-based out-of-bounds write in the gpsd software, specifically in the driver handling NMEA2000 PGN 129540 packets that report GNSS satellites in view. The function processing these packets does not properly validate the user-supplied satellite count against the size of the skyview array, which has 184 elements. An attacker can supply a satellite count up to 255, causing writes beyond the array bounds. This leads to memory corruption and can result in Denial of Service (DoS) or potentially allow arbitrary code execution. [2]

Impact Analysis

The vulnerability can cause memory corruption in the gpsd service, which may lead to Denial of Service (crashes or service interruptions). More severely, it could allow an attacker to execute arbitrary code on the affected system, potentially compromising system security and control. [2]

Detection Guidance

This vulnerability can be detected by monitoring for malformed or suspicious NMEA2000 PGN 129540 messages that contain an abnormally high satellite count (greater than the expected maximum of 184). Since the vulnerability involves processing these messages in gpsd, you can check gpsd logs for warnings related to satellite count exceeding MAXCHANNELS or message length mismatches. Additionally, network traffic capturing CAN bus messages and filtering for PGN 129540 packets with satellite counts above normal thresholds can help detect exploitation attempts. Specific commands might include using tcpdump or can-utils to capture CAN bus traffic and grep or log analysis tools to find relevant warnings in gpsd logs. For example: 1. Capture CAN bus traffic: `candump can0 | grep 129540` 2. Check gpsd logs for warnings: `grep 'satellites_visible' /var/log/gpsd.log` or `journalctl -u gpsd | grep warning` [2]

Mitigation Strategies

Immediate mitigation steps include updating gpsd to the latest version that contains the fix for CVE-2025-67268, which adds proper validation of the satellite count and message length in the NMEA2000 driver. If updating is not immediately possible, you can implement network-level filtering to block or drop malformed NMEA2000 PGN 129540 messages with excessive satellite counts. Additionally, monitoring and alerting on gpsd warnings related to satellite count or message length can help detect exploitation attempts early. Applying the patch from commit dc966aa74c075d0a6535811d98628625cbfbe3f4 is recommended to prevent buffer overruns and potential arbitrary code execution. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-67268. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart