{"id":"CVE-2025-67269","details":"An integer underflow vulnerability exists in the `nextstate()` function in `gpsd/packet.c` of gpsd versions prior to commit `ffa1d6f40bca0b035fc7f5e563160ebb67199da7`. When parsing a NAVCOM packet, the payload length is calculated using `lexer-\u003elength = (size_t)c - 4` without checking if the input byte `c` is less than 4. This results in an unsigned integer underflow, setting `lexer-\u003elength` to a very large value (near `SIZE_MAX`). The parser then enters a loop attempting to consume this massive number of bytes, causing 100% CPU utilization and a Denial of Service (DoS) condition.","modified":"2026-04-12T22:13:21.984569Z","published":"2026-01-02T16:17:01.100Z","related":["ALSA-2026:0770","ALSA-2026:0771","MGASA-2026-0028","openSUSE-SU-2026:10008-1"],"references":[{"type":"FIX","url":"https://gitlab.com/gpsd/gpsd/-/commit/ffa1d6f40bca0b035fc7f5e563160ebb67199da7"},{"type":"PACKAGE","url":"https://gitlab.com/gpsd/gpsd"},{"type":"EVIDENCE","url":"https://github.com/Jaenact/gspd_cve/blob/main/CVE-2025-67269/README.md"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://gitlab.com/gpsd/gpsd","events":[{"introduced":"0"},{"fixed":"af42bc1533c926d6e776c9e4c0536d7f861692b4"},{"fixed":"ffa1d6f40bca0b035fc7f5e563160ebb67199da7"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"3.27.1"}]}}],"versions":["Hejira","dev-3.19","dev-3.19a","release-1.90","release-1.96","release-1.97","release-2.0","release-2.1","release-2.10","release-2.11","release-2.12","release-2.13","release-2.14","release-2.15","release-2.16","release-2.17","release-2.18","release-2.19","release-2.2","release-2.20","release-2.21","release-2.22","release-2.23","release-2.24","release-2.25","release-2.26","release-2.27","release-2.28","release-2.29","release-2.3","release-2.30","release-2.31","release-2.32","release-2.33","release-2.34","release-2.35","release-2.36","release-2.37","release-2.38","release-2.39","release-2.4","release-2.5","release-2.6","release-2.7","release-2.8","release-2.9","release-2.90","release-2.91","release-2.92","release-2.93","release-2.94","release-2.95","release-2.96","release-3.0","release-3.1","release-3.10","release-3.11","release-3.12","release-3.13","release-3.14","release-3.15","release-3.16","release-3.17","release-3.18","release-3.18.1","release-3.19","release-3.2","release-3.20","release-3.21","release-3.22","release-3.23","release-3.23.1","release-3.24","release-3.25","release-3.26","release-3.26.1","release-3.27","release-3.3","release-3.4","release-3.5","release-3.6","release-3.7","release-3.8","release-3.9","subversion-cutover"],"database_specific":{"vanir_signatures_modified":"2026-04-12T22:13:21Z","vanir_signatures":[{"deprecated":false,"target":{"file":"gpsd/packet.c","function":"nextstate"},"digest":{"function_hash":"263178774706924668237634211923090998754","length":36441},"signature_type":"Function","signature_version":"v1","source":"https://gitlab.com/gpsd/gpsd@ffa1d6f40bca0b035fc7f5e563160ebb67199da7","id":"CVE-2025-67269-0e3e87aa"},{"deprecated":false,"target":{"file":"gpsd/packet.c"},"digest":{"threshold":0.9,"line_hashes":["232946447372870582734950929214147794361","252455209557864184956152164147775447050","100344254839578368912933944342035731154","312566332175847359640995602993862027523","116245087329467658684408223179089978851","124534774100781704905805919339154750382","282636686087319127693697714194784044786","273063514727277244237792129122708340840","78184409280390039629019038598580343013","47054498388085673008078682347136893192","41911136134762843150306431982061249179","52950697631556004638253485325848998392","302835219993194874044541884965549117584","70062834413860737748409518468976034577","296498981952694888142216463323063706567","193957489198182899087767475770410233243","141174356341664034629650284519915079087","189375835852003609892050216576544664473","295663324078627978608283040526535538683","133257130564790735968031664424716533533","224934798089824384191291766359945428596","125577570401424993043422971369798362780","260631022784895293936820135819932668317","114506292225918805595754315716659212756","331212619134202398866290121286492652612","301304857962818844913314621161667311758","111074036985016309434413166882684200553","20130023571374393641347996687774378219","36557875127331025860419397321810624329","266902638081822901375366673878981772210","73989853143074908201683273710869258772","101495586354197484325375157796093659477","117974536086107713339812632536709167153","324589435220548792788645384403740181146","41911136134762843150306431982061249179","154454481829764904634877095935586864863","31387928691606537196873882124836917713","27012025458145978003658454187266532663","288583704482908392357678907175270931906","41911136134762843150306431982061249179","233672076010028241879511745301741217279","64262614692798148058329914176938090162","329341897674326092738567052930694003155","35941868619464722426470045039768112169","108958792081300512965581343842498620986","54951719840278761625213617609203745023","145474205224798958523235513691225325585","256705956630223658545743586508390103567","34190359595967911592578040012370162339","3855552999826523410515197732478300842","242456442067289821828744720159658276712","295159486389130669222760324800271963597","269809633001464041569273531219717085305","41911136134762843150306431982061249179","214940189371199582286721701135000479309","99312878455032958552769152150123009160","117908083147178260222993478295275348791","277200277869846826425097114460272859681","128654886540569108760958719884146950313"]},"signature_type":"Line","signature_version":"v1","source":"https://gitlab.com/gpsd/gpsd@ffa1d6f40bca0b035fc7f5e563160ebb67199da7","id":"CVE-2025-67269-e12f2a05"}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-67269.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}