PatchSiren cyber security CVE debrief
CVE-2025-67269 Gpsd Project CVE debrief
CVE-2025-67269 is an integer underflow vulnerability in the `nextstate()` function of gpsd, a GPS service daemon. The vulnerability occurs when parsing a NAVCOM packet, where the payload length is calculated using `lexer->length = (size_t)c - 4` without checking if the input byte `c` is less than 4. This results in an unsigned integer underflow, setting `lexer->length` to a very large value (near `SIZE_MAX`). The parser then enters a loop attempting to consume this massive number of bytes, causing 100% CPU utilization and a Denial of Service (DoS) condition. The vulnerability affects gpsd versions prior to commit `ffa1d6f40bca0b035fc7f5e563160ebb67199da7`.
- Vendor
- Gpsd Project
- Product
- gpsd
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-01-02
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-01-02
- Advisory updated
- 2026-06-30
Who should care
Organizations using gpsd or products that incorporate gpsd should prioritize patching this vulnerability to prevent potential Denial of Service (DoS) attacks. This vulnerability has a CVSS score of 7.5 and is classified as HIGH severity. The gpsd project has released a patch for this issue.
Technical summary
The integer underflow vulnerability in gpsd's `nextstate()` function allows an attacker to cause a Denial of Service (DoS) condition by triggering a loop that consumes a large number of bytes, leading to 100% CPU utilization. The vulnerability is caused by the lack of input validation when calculating the payload length of a NAVCOM packet. A patch is available in commit `ffa1d6f40bca0b035fc7f5e563160ebb67199da7`.
Defensive priority
High priority should be given to patching this vulnerability, as it can be exploited to cause a Denial of Service (DoS) condition. The gpsd project has provided a patch, and organizations should apply it as soon as possible.
Recommended defensive actions
- Apply the patch provided by the gpsd project (commit `ffa1d6f40bca0b035fc7f5e563160ebb67199da7`) to vulnerable gpsd installations.
- Ensure gpsd is updated to a version that includes the patch.
- Monitor gpsd installations for potential exploitation attempts.
- Implement network segmentation and access controls to limit the attack surface.
- Regularly review and update gpsd and other dependencies to ensure they are current and patched.
Evidence notes
The CVE-2025-67269 vulnerability was publicly disclosed on January 2, 2026, and has since been modified on June 30, 2026. The vulnerability affects gpsd versions prior to the patch provided in commit `ffa1d6f40bca0b035fc7f5e563160ebb67199da7`.
Official resources
-
CVE-2025-67269 CVE record
CVE.org
-
CVE-2025-67269 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Exploit, Third Party Advisory
-
Source reference
[email protected] - Product
-
Mitigation or vendor reference
[email protected] - Patch
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article was generated with AI assistance based on the supplied source corpus and is intended for informational purposes only.