CVE-2026-29974
Received Received - Intake
Buffer Overflow in minmea 0.3.0

Publication date: 2026-05-08

Last updated on: 2026-05-08

Assigner: MITRE

Description
An issue was discovered in kosma minmea 0.3.0. The minmea_scan functions format specifier copies NMEA field data to a caller-provided buffer without a size parameter. Applications using minmea_scan on untrusted input are vulnerable to a stack buffer overflow.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-08
Generated
2026-06-19
AI Q&A
2026-05-08
EPSS Evaluated
2026-06-18
NVD
CVE-2026-29974
EUVD
EUVD-2026-28786
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
kosma minmea 0.3.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-121 A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the kosma minmea 0.3.0 software, specifically in the minmea_scan functions. These functions use a format specifier that copies NMEA field data into a buffer provided by the caller, but they do so without specifying the size of the buffer. As a result, if the input data is untrusted and larger than the buffer, it can cause a stack buffer overflow.

Impact Analysis

The vulnerability can lead to a stack buffer overflow when processing untrusted input. This may allow an attacker to overwrite memory on the stack, potentially causing a crash, unexpected behavior, or enabling execution of arbitrary code. Such impacts can compromise the security and stability of applications using the vulnerable function.

Compliance Impact

The provided information does not specify any direct impact of the CVE-2026-29974 vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability involves a stack buffer overflow in the minmea_scan function when processing malformed NMEA sentences from untrusted input. Detection involves monitoring for suspicious or malformed NMEA sentences that could trigger the overflow.

Since the vulnerability arises from processing GPS data, detection can include capturing and analyzing NMEA sentences on the network or serial interface where GPS data is received.

  • Use packet capture tools (e.g., tcpdump or Wireshark) to capture GPS data streams and filter for NMEA sentences.
  • Example tcpdump command to capture GPS data on a serial interface (replace /dev/ttyS0 with your device): sudo cat /dev/ttyS0 | grep -P '\$GP.*'
  • Use custom scripts or tools to parse captured NMEA sentences and check for malformed or unusually long fields that could trigger the buffer overflow.

No specific detection commands are provided in the resources, but monitoring for malformed NMEA sentences and unusual GPS data input is recommended.

Mitigation Strategies

Immediate mitigation steps include avoiding the use of the vulnerable minmea library version 0.3.0 or any affected versions when processing untrusted GPS input.

If updating the library is not immediately possible, ensure that input to the minmea_scan function is trusted or sanitized to prevent malformed NMEA sentences from being processed.

  • Apply patches or updates to the minmea library once they become available.
  • Restrict or validate GPS data sources to trusted inputs only, preventing spoofed or malicious NMEA sentences.
  • Implement input validation or filtering before passing data to minmea_scan to avoid buffer overflow triggers.

These steps help reduce the risk of denial-of-service or potential exploitation due to the buffer overflow vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-29974. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart