CVE-2026-33147
Published: 20 March 2026
Summary
CVE-2026-33147 is a high-severity Stack-based Buffer Overflow (CWE-121) vulnerability in Generic-Mapping-Tools Gmt. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 4.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires timely remediation of known software flaws like the stack buffer overflow in GMT by applying patches such as commit 0ad2b49.
Implements memory protection mechanisms such as stack canaries and ASLR to prevent arbitrary code execution from stack-based buffer overflows in GMT.
Mandates validation of inputs like dataset identifiers to block specially crafted long strings that trigger the buffer overflow in gmt_remote_dataset_id.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local stack-based buffer overflow in CLI tool enables arbitrary code execution (or DoS) via crafted input with no prior privileges, directly mapping to local exploitation for privilege escalation or client execution.
NVD Description
GMT is an open source collection of command-line tools for manipulating geographic and Cartesian data sets. In versions from 6.6.0 and prior, a stack-based buffer overflow vulnerability was identified in the gmt_remote_dataset_id function within src/gmt_remote.c. This issue occurs when a…
more
specially crafted long string is passed as a dataset identifier (e.g., via the which module), leading to a crash or potential arbitrary code execution. This issue has been patched via commit 0ad2b49.
Deeper analysisAI
CVE-2026-33147 is a stack-based buffer overflow vulnerability (CWE-121) affecting GMT, an open-source collection of command-line tools for manipulating geographic and Cartesian datasets. The flaw resides in the gmt_remote_dataset_id function within src/gmt_remote.c and impacts versions 6.6.0 and prior. It is triggered when a specially crafted long string is passed as a dataset identifier, such as via the "which" module, potentially leading to a crash or arbitrary code execution. The vulnerability carries a CVSS v3.1 base score of 7.3 (AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H).
A local attacker with no privileges required can exploit this issue with low complexity and no user interaction. By supplying a maliciously long dataset identifier to the affected function, the attacker can cause a stack-based buffer overflow, resulting in application denial of service through a crash or, in some cases, arbitrary code execution with the privileges of the GMT process.
Mitigation is available via a patch in commit 0ad2b491470df82c9ec1139dcbd70502fa28a082, as detailed in the GitHub security advisory GHSA-fqxx-62x7-9gwg. Security practitioners should update to a patched version of GMT beyond 6.6.0 and review usage of remote dataset features, particularly the "which" module, in local environments.
Details
- CWE(s)