Cyber Resilience

CVE-2026-33147

HighPublic PoC

Published: 20 March 2026

Published
20 March 2026
Modified
27 March 2026
KEV Added
Patch
CVSS Score v3.1 7.3 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
EPSS Score 0.0002 5.8th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-33147 is a high-severity Stack-based Buffer Overflow (CWE-121) vulnerability in Generic-Mapping-Tools Gmt. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 5.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-33147 is a stack-based buffer overflow vulnerability (CWE-121) affecting GMT, an open-source collection of command-line tools for manipulating geographic and Cartesian datasets. The flaw resides in the gmt_remote_dataset_id function within src/gmt_remote.c and impacts versions 6.6.0 and prior. It is triggered when a specially crafted long string is passed as a dataset identifier, such as via the "which" module, potentially leading to a crash or arbitrary code execution. The vulnerability carries a CVSS v3.1 base score of 7.3 (AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H).

A local attacker with no privileges required can exploit this issue with low complexity and no user interaction. By supplying a maliciously long dataset identifier to the affected function, the attacker can cause a stack-based buffer overflow, resulting in application denial of service through a crash or, in some cases, arbitrary code execution with the privileges of the GMT process.

Mitigation is available via a patch in commit 0ad2b491470df82c9ec1139dcbd70502fa28a082, as detailed in the GitHub security advisory GHSA-fqxx-62x7-9gwg. Security practitioners should update to a patched version of GMT beyond 6.6.0 and review usage of remote dataset features, particularly the "which" module, in local environments.

EU & UK References

Vulnerability details

GMT is an open source collection of command-line tools for manipulating geographic and Cartesian data sets. In versions from 6.6.0 and prior, a stack-based buffer overflow vulnerability was identified in the gmt_remote_dataset_id function within src/gmt_remote.c. This issue occurs when a…

more

specially crafted long string is passed as a dataset identifier (e.g., via the which module), leading to a crash or potential arbitrary code execution. This issue has been patched via commit 0ad2b49.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

Local stack-based buffer overflow in CLI tool enables arbitrary code execution (or DoS) via crafted input with no prior privileges, directly mapping to local exploitation for privilege escalation or client execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2019-25435Shared CWE-121
CVE-2019-25336Shared CWE-121
CVE-2018-25303Shared CWE-121
CVE-2020-37013Shared CWE-121
CVE-2026-25570Shared CWE-121
CVE-2026-29974Shared CWE-121
CVE-2025-24928Shared CWE-121
CVE-2020-37001Shared CWE-121
CVE-2019-25365Shared CWE-121
CVE-2019-25360Shared CWE-121

Affected Assets

generic-mapping-tools
gmt
≤ 6.6.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

preventrecover

Directly requires timely remediation of known software flaws like the stack buffer overflow in GMT by applying patches such as commit 0ad2b49.

prevent

Implements memory protection mechanisms such as stack canaries and ASLR to prevent arbitrary code execution from stack-based buffer overflows in GMT.

prevent

Mandates validation of inputs like dataset identifiers to block specially crafted long strings that trigger the buffer overflow in gmt_remote_dataset_id.

References