CVE-2026-8212 Vuldb CVE debrief

Who should care

Administrators and developers running GDAL builds up to 3.13.0dev-4, especially where HDF4/HDF-EOS support is enabled or where local users can feed data into GDAL-backed workflows.

Technical summary

The issue is a heap-based buffer overflow in SWSDfldsrch within GDAL's HDF4/HDF-EOS code path (frmts/hdf4/hdf-eos/SWapi.c). The supplied CVSS vector indicates local attack conditions with low privileges and no user interaction. The record links the issue to CWE-119 and CWE-122, and points to a fix delivered in GDAL 3.13.0RC1 via commit 3e04c0385630e4d42517046d9a4967dfccfeb7fd.

Defensive priority

Low severity overall, but worth prioritizing for any environment that processes HDF4/HDF-EOS data on shared local systems or distributes GDAL-enabled applications to local users.

Recommended defensive actions

• Upgrade OSGeo GDAL to 3.13.0RC1 or later, or a vendor build that includes commit 3e04c0385630e4d42517046d9a4967dfccfeb7fd.
• Inventory systems and applications that bundle or depend on GDAL up to 3.13.0dev-4, with attention to HDF4/HDF-EOS support.
• Treat the public exploit reference as a sign to accelerate patching and validate that affected builds are removed from production.
• Until patched, limit local access to systems that process untrusted HDF4/HDF-EOS data and monitor for crashes in GDAL-related workflows.

Evidence notes

This debrief is based only on the supplied CVE/NVD record and linked references. The source item was published and modified on 2026-05-09T23:16:33.113Z. The references include the GDAL repository, the fixing commit, an issue discussion, the 3.13.0RC1 release tag, and a public PoC repository. The vendor field in the supplied data is Vuldb with low confidence and marked needsReview, so the product attribution should be treated as source-backed but not independently validated here.

Official resources