{"id":"CVE-2025-67268","details":"gpsd before commit dc966aa contains a heap-based out-of-bounds write vulnerability in the drivers/driver_nmea2000.c file. The hnd_129540 function, which handles NMEA2000 PGN 129540 (GNSS Satellites in View) packets, fails to validate the user-supplied satellite count against the size of the skyview array (184 elements). This allows an attacker to write beyond the bounds of the array by providing a satellite count up to 255, leading to memory corruption, Denial of Service (DoS), and potentially arbitrary code execution.","modified":"2026-03-03T01:23:34.303832Z","published":"2026-01-02T16:17:00.990Z","related":["ALSA-2026:0770","ALSA-2026:0771","MGASA-2026-0028"],"references":[{"type":"WEB","url":"https://github.com/ntpsec/gpsd/blob/master/drivers/driver_nmea2000.c"},{"type":"ADVISORY","url":"https://github.com/Jaenact/gspd_cve/blob/main/CVE-2025-67268/README.md"},{"type":"FIX","url":"https://github.com/ntpsec/gpsd/commit/dc966aa74c075d0a6535811d98628625cbfbe3f4"},{"type":"EVIDENCE","url":"https://github.com/Jaenact/gspd_cve/blob/main/CVE-2025-67268/README.md"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://gitlab.com/gpsd/gpsd","events":[{"introduced":"0"},{"fixed":"af42bc1533c926d6e776c9e4c0536d7f861692b4"}]}],"versions":["Hejira","NTPsec_0_9_7","NTPsec_0_9_8","NTPsec_1_0_0","NTPsec_1_1_0","NTPsec_1_1_1","NTPsec_1_1_2","NTPsec_1_1_3","NTPsec_1_1_4","NTPsec_1_1_5","NTPsec_1_1_6","NTPsec_1_1_7","NTPsec_1_1_8","NTPsec_1_1_9","NTPsec_1_2_0","NTPsec_1_2_1","NTPsec_1_2_2","NTPsec_1_2_2a","NTPsec_1_2_3","NTPsec_1_2_4","dev-3.19","dev-3.19a","release-1.90","release-1.96","release-1.97","release-2.0","release-2.1","release-2.10","release-2.11","release-2.12","release-2.13","release-2.14","release-2.15","release-2.16","release-2.17","release-2.18","release-2.19","release-2.2","release-2.20","release-2.21","release-2.22","release-2.23","release-2.24","release-2.25","release-2.26","release-2.27","release-2.28","release-2.29","release-2.3","release-2.30","release-2.31","release-2.32","release-2.33","release-2.34","release-2.35","release-2.36","release-2.37","release-2.38","release-2.39","release-2.4","release-2.5","release-2.6","release-2.7","release-2.8","release-2.9","release-2.90","release-2.91","release-2.92","release-2.93","release-2.94","release-2.95","release-2.96","release-3.0","release-3.1","release-3.10","release-3.11","release-3.12","release-3.13","release-3.14","release-3.15","release-3.16","release-3.17","release-3.18","release-3.18.1","release-3.19","release-3.2","release-3.20","release-3.21","release-3.22","release-3.23","release-3.23.1","release-3.24","release-3.25","release-3.26","release-3.26.1","release-3.27","release-3.3","release-3.4","release-3.5","release-3.6","release-3.7","release-3.8","release-3.9","subversion-cutover"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-67268.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}