CVE-2026-49014 GDAL CVE debrief

Who should care

Organizations running GDAL-based geospatial data processing services, particularly those accepting NetCDF uploads from untrusted sources. Cloud providers offering geospatial data transformation pipelines. Scientific computing environments using GDAL for climate and environmental data analysis. Security teams responsible for supply chain risk management in open-source geospatial software stacks.

Technical summary

The vulnerability is a classic stack-based buffer overflow (CWE-121) in GDAL's netCDF vector driver. The `scanForGeometryContainers` function in `frmts/netcdf/netcdfsg.cpp` copies geometry attribute data into a fixed-size stack buffer without bounds checking. When processing a malicious NetCDF file containing an oversized geometry attribute, the buffer overflow can overwrite the return address, enabling arbitrary code execution. The CVSS 3.1 score of 7.4 (HIGH) reflects significant impact potential despite the local attack vector and high complexity requirements. The vulnerability affects GDAL versions 3.1.0 through 3.13.0, spanning approximately six years of releases.

Defensive priority

HIGH

Recommended defensive actions

• Upgrade GDAL to a version beyond 3.13.0 when a patched release becomes available
• Restrict processing of untrusted NetCDF files in production GDAL deployments
• Implement input validation and sandboxing for geospatial data processing pipelines
• Monitor GDAL security advisories and the referenced GitHub issue for patch availability
• Apply principle of least privilege to GDAL service accounts to limit exploitation impact

Evidence notes

Vulnerability description sourced from official CVE record and NVD entry. CVSS 3.1 vector confirms local attack vector with high complexity. Weakness classified as CWE-121 (Stack-based Buffer Overflow). GitHub issue reference provided by MITRE as primary source reference.

Official resources