PatchSiren

PatchSiren cyber security CVE debrief

CVE-2025-67269 Gpsd Project CVE debrief

CVE-2025-67269 is an integer underflow vulnerability in the `nextstate()` function of gpsd, a GPS service daemon. The vulnerability occurs when parsing a NAVCOM packet, where the payload length is calculated using `lexer->length = (size_t)c - 4` without checking if the input byte `c` is less than 4. This results in an unsigned integer underflow, setting `lexer->length` to a very large value (near `SIZE_MAX`). The parser then enters a loop attempting to consume this massive number of bytes, causing 100% CPU utilization and a Denial of Service (DoS) condition. The vulnerability affects gpsd versions prior to commit `ffa1d6f40bca0b035fc7f5e563160ebb67199da7`.

Vendor
Gpsd Project
Product
gpsd
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-01-02
Original CVE updated
2026-06-30
Advisory published
2026-01-02
Advisory updated
2026-06-30

Who should care

Organizations using gpsd or products that incorporate gpsd should prioritize patching this vulnerability to prevent potential Denial of Service (DoS) attacks. This vulnerability has a CVSS score of 7.5 and is classified as HIGH severity. The gpsd project has released a patch for this issue.

Technical summary

The integer underflow vulnerability in gpsd's `nextstate()` function allows an attacker to cause a Denial of Service (DoS) condition by triggering a loop that consumes a large number of bytes, leading to 100% CPU utilization. The vulnerability is caused by the lack of input validation when calculating the payload length of a NAVCOM packet. A patch is available in commit `ffa1d6f40bca0b035fc7f5e563160ebb67199da7`.

Defensive priority

High priority should be given to patching this vulnerability, as it can be exploited to cause a Denial of Service (DoS) condition. The gpsd project has provided a patch, and organizations should apply it as soon as possible.

Recommended defensive actions

  • Apply the patch provided by the gpsd project (commit `ffa1d6f40bca0b035fc7f5e563160ebb67199da7`) to vulnerable gpsd installations.
  • Ensure gpsd is updated to a version that includes the patch.
  • Monitor gpsd installations for potential exploitation attempts.
  • Implement network segmentation and access controls to limit the attack surface.
  • Regularly review and update gpsd and other dependencies to ensure they are current and patched.

Evidence notes

The CVE-2025-67269 vulnerability was publicly disclosed on January 2, 2026, and has since been modified on June 30, 2026. The vulnerability affects gpsd versions prior to the patch provided in commit `ffa1d6f40bca0b035fc7f5e563160ebb67199da7`.

Official resources

This article was generated with AI assistance based on the supplied source corpus and is intended for informational purposes only.