CVE-2025-67268
Published: 02 January 2026
Summary
CVE-2025-67268 is a critical-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Gpsd Project Gpsd. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 47.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 requires validation of user-supplied inputs like the satellite count in NMEA2000 PGN 129540 packets against the skyview array size, directly preventing the heap-based out-of-bounds write.
SI-2 mandates timely flaw remediation by updating gpsd to commit dc966aa, which fixes the validation flaw in driver_nmea2000.c.
SI-16 implements memory protections such as ASLR and DEP to mitigate exploitation of the heap overflow leading to memory corruption or code execution.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Heap-based buffer overflow in network-facing gpsd service enables unauthenticated remote exploitation of a public-facing application via crafted NMEA2000 packets, leading to memory corruption, DoS, or potential RCE.
NVD Description
gpsd before commit dc966aa contains a heap-based out-of-bounds write vulnerability in the drivers/driver_nmea2000.c file. The hnd_129540 function, which handles NMEA2000 PGN 129540 (GNSS Satellites in View) packets, fails to validate the user-supplied satellite count against the size of the skyview…
more
array (184 elements). This allows an attacker to write beyond the bounds of the array by providing a satellite count up to 255, leading to memory corruption, Denial of Service (DoS), and potentially arbitrary code execution.
Deeper analysisAI
CVE-2025-67268 is a heap-based out-of-bounds write vulnerability in gpsd versions prior to commit dc966aa. The issue resides in the drivers/driver_nmea2000.c file, specifically within the hnd_129540 function that processes NMEA2000 PGN 129540 (GNSS Satellites in View) packets. This function does not properly validate the user-supplied satellite count—limited to a maximum of 255—against the fixed size of the skyview array, which holds only 184 elements. Sending a crafted packet with a satellite count exceeding 184 triggers an out-of-bounds write, resulting in memory corruption. The vulnerability is rated with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-122 (Heap-based Buffer Overflow).
An unauthenticated remote attacker can exploit this vulnerability by transmitting specially crafted NMEA2000 packets to a gpsd instance listening on an affected interface. No privileges, user interaction, or special access are required, making it highly accessible over the network with low complexity. Successful exploitation leads to memory corruption, enabling denial of service (DoS) through crashes or resource exhaustion, and potentially arbitrary code execution if the corruption allows control over execution flow.
Mitigation is available via the fixing commit dc966aa74c075d0a6535811d98628625cbfbe3f4 in the ntpsec/gpsd repository, which addresses the validation flaw in driver_nmea2000.c. Security practitioners should update gpsd to a version incorporating this commit and review deployments for exposure to NMEA2000 traffic sources. Additional details are provided in the advisory at the Jaenact/gspd_cve repository README for CVE-2025-67268.
Details
- CWE(s)