CVE-2025-67268
BaseFortify
Publication date: 2026-01-02
Last updated on: 2026-01-12
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gpsd_project | gpsd | to 3.27.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-122 | A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc(). |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating gpsd to the latest version that contains the fix for CVE-2025-67268, which adds proper validation of the satellite count and message length in the NMEA2000 driver. If updating is not immediately possible, you can implement network-level filtering to block or drop malformed NMEA2000 PGN 129540 messages with excessive satellite counts. Additionally, monitoring and alerting on gpsd warnings related to satellite count or message length can help detect exploitation attempts early. Applying the patch from commit dc966aa74c075d0a6535811d98628625cbfbe3f4 is recommended to prevent buffer overruns and potential arbitrary code execution. [2]
Can you explain this vulnerability to me?
This vulnerability is a heap-based out-of-bounds write in the gpsd software, specifically in the driver handling NMEA2000 PGN 129540 packets that report GNSS satellites in view. The function processing these packets does not properly validate the user-supplied satellite count against the size of the skyview array, which has 184 elements. An attacker can supply a satellite count up to 255, causing writes beyond the array bounds. This leads to memory corruption and can result in Denial of Service (DoS) or potentially allow arbitrary code execution. [2]
How can this vulnerability impact me? :
The vulnerability can cause memory corruption in the gpsd service, which may lead to Denial of Service (crashes or service interruptions). More severely, it could allow an attacker to execute arbitrary code on the affected system, potentially compromising system security and control. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for malformed or suspicious NMEA2000 PGN 129540 messages that contain an abnormally high satellite count (greater than the expected maximum of 184). Since the vulnerability involves processing these messages in gpsd, you can check gpsd logs for warnings related to satellite count exceeding MAXCHANNELS or message length mismatches. Additionally, network traffic capturing CAN bus messages and filtering for PGN 129540 packets with satellite counts above normal thresholds can help detect exploitation attempts. Specific commands might include using tcpdump or can-utils to capture CAN bus traffic and grep or log analysis tools to find relevant warnings in gpsd logs. For example: 1. Capture CAN bus traffic: `candump can0 | grep 129540` 2. Check gpsd logs for warnings: `grep 'satellites_visible' /var/log/gpsd.log` or `journalctl -u gpsd | grep warning` [2]