PatchSiren

PatchSiren cyber security CVE debrief

CVE-2025-67268 ntpsec CVE debrief

CVE-2025-67268 is a critical vulnerability in gpsd, a GPS service daemon, that allows for heap-based out-of-bounds writes. The vulnerability exists in the drivers/driver_nmea2000.c file, specifically in the hnd_129540 function handling NMEA2000 PGN 129540 packets. This function fails to validate user-supplied satellite counts against the size of the skyview array, which has 184 elements. An attacker can exploit this by providing a satellite count of up to 255, leading to memory corruption, Denial of Service (DoS), and potentially arbitrary code execution. The vulnerability has a CVSS score of 9.8 and is considered CRITICAL. The CVE was published on January 2, 2026, and modified on June 30, 2026.

Vendor
ntpsec
Product
gpsd
CVSS
CRITICAL 9.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-01-02
Original CVE updated
2026-06-30
Advisory published
2026-01-02
Advisory updated
2026-06-30

Who should care

Organizations and individuals using gpsd, especially in networked or internet-facing configurations, should be aware of this vulnerability. This includes but is not limited to GPS service providers, IoT device manufacturers, and any entity relying on gpsd for location services. Given the critical nature of the vulnerability, immediate attention is required to assess exposure and apply mitigations.

Technical summary

The vulnerability is caused by a lack of validation in the hnd_129540 function for user-supplied satellite counts. This function is part of the driver for handling NMEA2000 PGN 129540 packets in gpsd. The skyview array, which stores information about visible satellites, has a fixed size of 184 elements. However, the function does not check if the provided satellite count exceeds this limit, allowing an attacker to write beyond the array's bounds. This can lead to memory corruption, potentially causing a Denial of Service (DoS) or even allowing for arbitrary code execution. The vulnerability is exacerbated by its critical CVSS score of 9.8, indicating a high impact on confidentiality, integrity, and availability.

Defensive priority

High. Immediate action is required to mitigate this vulnerability due to its critical severity and potential for arbitrary code execution.

Recommended defensive actions

  • Assess if gpsd is used within the organization, especially in networked or internet-facing configurations.
  • Check the current version of gpsd and compare it with the patched version (commit dc966aa or later).
  • Apply the patch or update gpsd to a version that includes the fix (commit dc966aa or later).
  • Implement network protections to limit exposure, such as restricting access to gpsd from untrusted networks.
  • Monitor gpsd logs for suspicious activity that could indicate exploitation attempts.

Evidence notes

The CVE-2025-67268 vulnerability was published on January 2, 2026, and last modified on June 30, 2026. It affects gpsd versions prior to commit dc966aa. The vulnerability allows for heap-based out-of-bounds writes due to improper validation of user-supplied satellite counts in NMEA2000 PGN 129540 packets. The CVSS score is 9.8, indicating critical severity. Multiple references, including GitHub commits and Red Hat errata, provide additional context and mitigation strategies.

Official resources

This article is AI-assisted and based on the supplied source corpus.