{"id":"MGASA-2026-0028","summary":"Updated gpsd packages fix security vulnerabilities","details":"gpsd before commit dc966aa contains a heap-based out-of-bounds write\nvulnerability in the drivers/driver_nmea2000.c file. The hnd_129540\nfunction, which handles NMEA2000 PGN 129540 (GNSS Satellites in View)\npackets, fails to validate the user-supplied satellite count against the\nsize of the skyview array (184 elements). This allows an attacker to\nwrite beyond the bounds of the array by providing a satellite count up\nto 255, leading to memory corruption, Denial of Service (DoS), and\npotentially arbitrary code execution. (CVE-2025-67268)\nAn integer underflow vulnerability exists in the `nextstate()` function\nin `gpsd/packet.c` of gpsd versions prior to commit\n`ffa1d6f40bca0b035fc7f5e563160ebb67199da7`. When parsing a NAVCOM\npacket, the payload length is calculated using `lexer-\u003elength =\n(size_t)c - 4` without checking if the input byte `c` is less than 4.\nThis results in an unsigned integer underflow, setting `lexer-\u003elength`\nto a very large value (near `SIZE_MAX`). The parser then enters a loop\nattempting to consume this massive number of bytes, causing 100% CPU\nutilization and a Denial of Service (DoS) condition. (CVE-2025-67269)\n","modified":"2026-04-16T04:40:53.052516002Z","published":"2026-01-30T00:39:37Z","upstream":["CVE-2025-67268","CVE-2025-67269"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2026-0028.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=34959"},{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-7948-1"}],"affected":[{"package":{"name":"gpsd","ecosystem":"Mageia:9","purl":"pkg:rpm/mageia/gpsd?arch=source&distro=mageia-9"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3.25-1.1.mga9"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2026-0028.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}