{"id":"CVE-2025-67268","details":"gpsd before commit dc966aa contains a heap-based out-of-bounds write vulnerability in the drivers/driver_nmea2000.c file. The hnd_129540 function, which handles NMEA2000 PGN 129540 (GNSS Satellites in View) packets, fails to validate the user-supplied satellite count against the size of the skyview array (184 elements). This allows an attacker to write beyond the bounds of the array by providing a satellite count up to 255, leading to memory corruption, Denial of Service (DoS), and potentially arbitrary code execution.","modified":"2026-04-16T04:35:12.702436249Z","published":"2026-01-02T16:17:00.990Z","related":["ALSA-2026:0770","ALSA-2026:0771","openSUSE-SU-2026:10008-1"],"references":[{"type":"WEB","url":"https://github.com/ntpsec/gpsd/blob/master/drivers/driver_nmea2000.c"},{"type":"FIX","url":"https://github.com/ntpsec/gpsd/commit/dc966aa74c075d0a6535811d98628625cbfbe3f4"},{"type":"EVIDENCE","url":"https://github.com/Jaenact/gspd_cve/blob/main/CVE-2025-67268/README.md"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/ntpsec/gpsd","events":[{"introduced":"0"},{"fixed":"dc966aa74c075d0a6535811d98628625cbfbe3f4"}]},{"type":"GIT","repo":"https://gitlab.com/gpsd/gpsd","events":[{"introduced":"0"},{"fixed":"af42bc1533c926d6e776c9e4c0536d7f861692b4"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"3.27.1"}]}}],"versions":["Hejira","dev-3.19","dev-3.19a","release-1.90","release-1.96","release-1.97","release-2.0","release-2.1","release-2.10","release-2.11","release-2.12","release-2.13","release-2.14","release-2.15","release-2.16","release-2.17","release-2.18","release-2.19","release-2.2","release-2.20","release-2.21","release-2.22","release-2.23","release-2.24","release-2.25","release-2.26","release-2.27","release-2.28","release-2.29","release-2.3","release-2.30","release-2.31","release-2.32","release-2.33","release-2.34","release-2.35","release-2.36","release-2.37","release-2.38","release-2.39","release-2.4","release-2.5","release-2.6","release-2.7","release-2.8","release-2.9","release-2.90","release-2.91","release-2.92","release-2.93","release-2.94","release-2.95","release-2.96","release-3.0","release-3.1","release-3.10","release-3.11","release-3.12","release-3.13","release-3.14","release-3.15","release-3.16","release-3.17","release-3.18","release-3.18.1","release-3.19","release-3.2","release-3.20","release-3.21","release-3.22","release-3.23","release-3.23.1","release-3.24","release-3.25","release-3.26","release-3.26.1","release-3.27","release-3.3","release-3.4","release-3.5","release-3.6","release-3.7","release-3.8","release-3.9","subversion-cutover"],"database_specific":{"vanir_signatures_modified":"2026-04-12T22:57:44Z","vanir_signatures":[{"digest":{"length":1368,"function_hash":"105259528630567690175396207059184867841"},"signature_type":"Function","id":"CVE-2025-67268-1cbc29ef","deprecated":false,"source":"https://github.com/ntpsec/gpsd/commit/dc966aa74c075d0a6535811d98628625cbfbe3f4","target":{"file":"drivers/driver_nmea2000.c","function":"hnd_129540"},"signature_version":"v1"},{"digest":{"length":3744,"function_hash":"104243196420291599400759051243659380884"},"signature_type":"Function","id":"CVE-2025-67268-3b943542","target":{"file":"drivers/driver_nmea2000.c","function":"hnd_129794"},"source":"https://github.com/ntpsec/gpsd/commit/dc966aa74c075d0a6535811d98628625cbfbe3f4","deprecated":false,"signature_version":"v1"},{"digest":{"line_hashes":["301899082615778777958300994720599554715","173313207925924300750538826159892586097","223233895100158281844381273673919708353","110484929666747789041113765260162972004","187391794010732201736388972714275196954","230646192056287253692020247170152917391","143746418151742419392005416412968428510","258663627648466636016807365128241252256","84286245727133985775637505658253462896","203657649542939271645549124154522397170","42241344955198936162462118037970764442","291194823374081130730644706115702638306","288946676764685565951419866227719327998","123877158461419912975070738811683022003","122730909966964399552096204534916504749","150207851635810719461999571982036739465","270737244785664652208123544399968698075","184984997373703787042761790868655614706","121741773227501933846222551061355767988","131598562055115311107171319703273104719","309936402353376797338546836117953791633","228965490133355669210526840367999854778","254178367809938876783246051847650858602","147162964671859547538754794995422111163","276873986630947536745053840261197116511","125066342053508356492509753333970150304","51141001591889163080580818268196202184","45513369824706700460333445760124407646","88473383690504424851017032787444658009","67307213979811526136784965610048598118","241002203408033455836298324352726752143","331595714722402796383098273866650670501","122128572970794042470244986871509392938","326156396403926860227506787310461159622","218139428144337197984501315863984807958","42179085120155464671271938638761860644","162183925228550454435809151627159998902","326551046008180817052378351367054739228","190997459732795863606948481439584157633","84575677316916295386036876804762932791","349995656070543335757380238685057486","246581169863630670559817428784400019605","92898145458241941169643023565596597167","48608388770810409429168444813329265608","228811853701403466642071577897052304431","152856243337449848629680666452702073848","334567402186982500277074964138475563936","228965490133355669210526840367999854778","56258332439274155442974792293277067956","85669919538558443160316497417679545966","76717866043278817890814219058258317187","16299343317838569866682939166407001617","327546806110741070629781786260085135972","18098775667748604966013750148919629345","212938115192396657926239792580753985951","328184742661260129927468121672789464891","40812079506764683351079724876170836780","161351160096788792412922180139285832923","44894008872964552468107490820897293014","18410556787139689384800605930638609038","282076088128163838374807020892935969022","120523308835601733744165952653234320652","146330190709743845346360877718992484166","60770490530877303098463823643353459023","152117939046612027391667232092097094126","261586645594208733742381735499652766627","225245517090070010918179204392061464446","230985081827738108209689837926818591368","326406507393856881241662499343789402559","25687408488990309135433254248238932505","92096370762457955123051941306948778879","109119817195730705194132769788230916430","201115015377132237017031325406261761682","188184911841304245314966325044580609401","194095968629133177862830097885741635178","219843522519551343836412509744732919584","62877109728028988082484107853782935031","92201161618145433187161081902409276417","217954927850451629330622116262712971936","126633765821012722795315053623843570912","334850354326762282016648728720955654995","28196637138051000841096674966492382494","274923851681568825722220736678061849597","145408303397525999208183034398253860634","139079787763409600414759211655074086243","180785303726664127800578811306983866758","39176888230941191792787340804780343285","56132815662644486971439363288176522943","99461643383074365486544712131657833550","49088599479885417100500372121169173682","308112235966414382862167329129896736800","37363573563332471201614205770822823247","98906147084495459601029137846333735445","131178370538368186639578252235656961528","117174158533594169567235366920753282407","15666528023370909860605963704613269064","106350967037646459330499007725589073475","291774798488419977141691412377129675707","125178119593380550562143903386906344396","57345500855443246931356951900079055167","45050053078876900200127501457120842933","276105055783441647873776541939014935128","282944876298106450509047275527438182242","131520817959633764989535248442453059190","81238217792783197297421807540158472730","156111094994057214676289451080804130499","123255003356401633642635486001216568661","198199403283513011170292080064110418768","229120158649950553899524201712657687382","250812894841808828062272231052520478278","112708045375494266190601965587765044805","172269027513090635287458110976474855460","190443543030567916707242903457386362757","146337777459598868444701570133377285873","312112377369680645189556332915362454390","266711515856932627689923619515567074828","99777858879540348261888289983013670176","39856916969520132702201137784585512566","97708747760475442440079488706414958784","227701834237883993479016026870537580102","164345851376346150403299367599197148580","76002774139815901694721991262020520570","294177779469757185246810499118731229743","270504300135502789691340715091027341011","196142074540582511756470783133624176778","28408262499129202399996484083694204146","43632956342419999162640169397103545449","80305380209092797669467611247781290384","5045876003325082659626443246594112550","233460529130323497895547048915668909920","253145521652550357402418201558113071887","71838217061253676067390957255882423930","221834986752664217719881613152418161514","273169590367009214640950606111446255953","104479839500280551302457441850641657966","118137108742181096931269753800550874739","16207332635578960925876091048559541587","65873235745888076677319067871239969876","164473191002341174039468922053418468049","108050039061681470442928716122549125353","262800260259799005509092656696079559907","190443543030567916707242903457386362757","332841060657010191570505651459853387976","19484340974669335423772080041894236442"],"threshold":0.9},"signature_type":"Line","id":"CVE-2025-67268-46496368","deprecated":false,"source":"https://github.com/ntpsec/gpsd/commit/dc966aa74c075d0a6535811d98628625cbfbe3f4","target":{"file":"drivers/driver_nmea2000.c"},"signature_version":"v1"},{"digest":{"length":680,"function_hash":"269850291394952259709565422042920942540"},"signature_type":"Function","id":"CVE-2025-67268-a89bc14a","deprecated":false,"source":"https://github.com/ntpsec/gpsd/commit/dc966aa74c075d0a6535811d98628625cbfbe3f4","target":{"file":"drivers/driver_nmea2000.c","function":"print_data"},"signature_version":"v1"}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-67268.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}