CVE-2025-67269
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-02

Last updated on: 2026-01-09

Assigner: MITRE

Description
An integer underflow vulnerability exists in the `nextstate()` function in `gpsd/packet.c` of gpsd versions prior to commit `ffa1d6f40bca0b035fc7f5e563160ebb67199da7`. When parsing a NAVCOM packet, the payload length is calculated using `lexer->length = (size_t)c - 4` without checking if the input byte `c` is less than 4. This results in an unsigned integer underflow, setting `lexer->length` to a very large value (near `SIZE_MAX`). The parser then enters a loop attempting to consume this massive number of bytes, causing 100% CPU utilization and a Denial of Service (DoS) condition.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-02
Last Modified
2026-01-09
Generated
2026-06-16
AI Q&A
2026-01-02
EPSS Evaluated
2026-06-15
NVD
CVE-2025-67269
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
gpsd_project gpsd to 3.27.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-191 The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an integer underflow in the nextstate() function of gpsd's packet.c file. When parsing a NAVCOM packet, the code calculates the payload length by subtracting 4 from an input byte value without checking if that value is less than 4. If it is, this causes an unsigned integer underflow, setting the length to a very large number. The parser then tries to process this huge length, leading to excessive CPU usage and a denial-of-service condition. [2]

Impact Analysis

The vulnerability can cause the gpsd service to consume 100% CPU resources by entering a loop processing an extremely large payload length. This results in a denial-of-service (DoS) condition, potentially making the GPS service unavailable or unresponsive. [2]

Detection Guidance

This vulnerability can be detected by monitoring the gpsd process for unusually high CPU utilization, as the integer underflow causes the parser to enter a loop consuming 100% CPU. You can use commands like 'top' or 'htop' on Linux to observe CPU usage of the gpsd process. Additionally, inspecting logs for malformed NAVCOM packets or unusual gpsd behavior may help. Specific commands include: 'top -p $(pidof gpsd)' or 'htop' and filtering for gpsd, and 'tcpdump' or 'wireshark' to capture and analyze NAVCOM packets for anomalies. [2, 3]

Mitigation Strategies

The immediate mitigation step is to update gpsd to a version that includes the fix from commit ffa1d6f40bca0b035fc7f5e563160ebb67199da7, which prevents the integer underflow in the nextstate() function. Until the update can be applied, consider restricting or filtering NAVCOM packets from untrusted sources to prevent malicious packets from triggering the vulnerability. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-67269. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart