Cyber Posture

CVE-2025-67269

HighPublic PoC

Published: 02 January 2026

Published
02 January 2026
Modified
09 January 2026
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0026 49.8th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-67269 is a high-severity Wrap or Wraparound (CWE-191) vulnerability in Gpsd Project Gpsd. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 49.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique.
Threat & Defense Details

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
attack.mitre.org →
Why these techniques?

Remote unauthenticated network exploitation of the integer underflow in gpsd directly enables T1190 (public-facing application) leading to application DoS via resource exhaustion (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

An integer underflow vulnerability exists in the `nextstate()` function in `gpsd/packet.c` of gpsd versions prior to commit `ffa1d6f40bca0b035fc7f5e563160ebb67199da7`. When parsing a NAVCOM packet, the payload length is calculated using `lexer->length = (size_t)c - 4` without checking if the input byte…

more

`c` is less than 4. This results in an unsigned integer underflow, setting `lexer->length` to a very large value (near `SIZE_MAX`). The parser then enters a loop attempting to consume this massive number of bytes, causing 100% CPU utilization and a Denial of Service (DoS) condition.

Deeper analysisAI

An integer underflow vulnerability, tracked as CVE-2025-67269, affects the `nextstate()` function in `gpsd/packet.c` within gpsd versions prior to commit `ffa1d6f40bca0b035fc7f5e563160ebb67199da7`. The issue arises during parsing of a NAVCOM packet, where the payload length is computed as `lexer->length = (size_t)c - 4` without verifying if the input byte `c` is less than 4. This triggers an unsigned integer underflow, assigning `lexer->length` a value near `SIZE_MAX`, and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), mapped to CWE-191 (Integer Underflow).

Attackers can exploit this remotely over the network without authentication or user interaction by sending a specially crafted NAVCOM packet to a gpsd instance. Upon processing, the parser enters a loop attempting to consume an enormous number of bytes, resulting in 100% CPU utilization and a denial-of-service condition that renders the service unresponsive.

Mitigation involves updating gpsd to a version incorporating commit `ffa1d6f40bca0b035fc7f5e563160ebb67199da7` or later, available via the project's GitLab repository. Additional details are documented in the associated GitHub advisory at https://github.com/Jaenact/gspd_cve/blob/main/CVE-2025-67269/README.md.

Details

CWE(s)
CWE-191

Affected Products

gpsd project
gpsd
≤ 3.27.1

CVEs Like This One

CVE-2025-67268Same product: Gpsd Project Gpsd
CVE-2025-0728Shared CWE-191
CVE-2026-33184Shared CWE-191
CVE-2026-7424Shared CWE-191
CVE-2026-37534Shared CWE-191
CVE-2026-34064Shared CWE-191
CVE-2026-31662Shared CWE-191
CVE-2026-40386Shared CWE-191
CVE-2026-25532Shared CWE-191
CVE-2025-0727Shared CWE-191

References