Advisories » MGASA-2026-0028

Updated gpsd packages fix security vulnerabilities

Publication date: 30 Jan 2026
Modification date: 29 Jan 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-67268 , CVE-2025-67269

Description

gpsd before commit dc966aa contains a heap-based out-of-bounds write
vulnerability in the drivers/driver_nmea2000.c file. The hnd_129540
function, which handles NMEA2000 PGN 129540 (GNSS Satellites in View)
packets, fails to validate the user-supplied satellite count against the
size of the skyview array (184 elements). This allows an attacker to
write beyond the bounds of the array by providing a satellite count up
to 255, leading to memory corruption, Denial of Service (DoS), and
potentially arbitrary code execution. (CVE-2025-67268)
An integer underflow vulnerability exists in the `nextstate()` function
in `gpsd/packet.c` of gpsd versions prior to commit
`ffa1d6f40bca0b035fc7f5e563160ebb67199da7`. When parsing a NAVCOM
packet, the payload length is calculated using `lexer->length =
(size_t)c - 4` without checking if the input byte `c` is less than 4.
This results in an unsigned integer underflow, setting `lexer->length`
to a very large value (near `SIZE_MAX`). The parser then enters a loop
attempting to consume this massive number of bytes, causing 100% CPU
utilization and a Denial of Service (DoS) condition. (CVE-2025-67269)
                

References

• https://bugs.mageia.org/show_bug.cgi?id=34959
• https://ubuntu.com/security/notices/USN-7948-1
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-67268
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-67269

SRPMS

9/core

• gpsd-3.25-1.1.mga9