CVE-2025-67269
Summary
| CVE | CVE-2025-67269 |
|---|---|
| State | PUBLISHED |
| Assigner | mitre |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-01-02 16:17:01 UTC |
| Updated | 2026-06-30 03:16:57 UTC |
| Description | An integer underflow vulnerability exists in the `nextstate()` function in `gpsd/packet.c` of gpsd versions prior to commit `ffa1d6f40bca0b035fc7f5e563160ebb67199da7`. When parsing a NAVCOM packet, the payload length is calculated using `lexer->length = (size_t)c - 4` without checking if the input byte `c` is less than 4. This results in an unsigned integer underflow, setting `lexer->length` to a very large value (near `SIZE_MAX`). The parser then enters a loop attempting to consume this massive number of bytes, causing 100% CPU utilization and a Denial of Service (DoS) condition. |
Risk And Classification
Primary CVSS: v3.1 7.5 HIGH from ADP
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS: 0.004700000 probability, percentile 0.372220000 (date 2026-07-01)
Problem Types: CWE-191 | n/a | CWE-191 CWE-191 Integer Underflow (Wrap or Wraparound) | CWE-191 Integer Underflow (Wrap or Wraparound)
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | ADP | DECLARED | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| 3.1 | ADP | CVSS | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| 3.1 | 134c704f-9b21-4f2e-91b3-4a467353bcc0 | Secondary | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| 3.1 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | Secondary | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
CVSS v3.1 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Gpsd Project | Gpsd | All | All | All | All |
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Na | N/a | affected n/a | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux AppStream V. 10 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux AppStream V. 9 | Not specified | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| access.redhat.com/errata/RHSA-2026:0771 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| security.access.redhat.com/data/csaf/v2/vex/2025/cve-2025-67269.json | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | security.access.redhat.com | |
| gitlab.com/gpsd/gpsd/-/commit/ffa1d6f40bca0b035fc7f5e563160ebb67199da7 | [email protected] | gitlab.com | Patch |
| access.redhat.com/security/cve/CVE-2025-67269 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| bugzilla.redhat.com/show_bug.cgi | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | bugzilla.redhat.com | |
| github.com/Jaenact/gspd_cve/blob/main/CVE-2025-67269/README.md | [email protected] | github.com | Exploit, Third Party Advisory |
| gitlab.com/gpsd/gpsd | [email protected] | gitlab.com | Product |
| access.redhat.com/errata/RHSA-2026:0770 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| ADP | 2026-01-02T16:01:42.941Z | Reported to Red Hat. |
| ADP | 2026-01-02T00:00:00.000Z | Made public. |
Solutions
ADP: RHSA-2026:0770: Red Hat Enterprise Linux AppStream (v. 10)
ADP: RHSA-2026:0771: Red Hat Enterprise Linux AppStream (v. 9)
Workarounds
ADP: No mitigation is currently available that meets Red Hat Product Security’s standards for usability, deployment, applicability, or stability. Exposure can be reduced by restricting gpsd from listening on network sockets, limiting input sources to trusted serial devices only, and ensuring the service is not accessible from untrusted networks. Deployments that do not require NAVCOM packet support should consider disabling or filtering such input where possible to further minimize risk.