CVE-2025-67268

9.8 CRITICAL
Remote Code Execution Denial of Service

📋 TL;DR

This vulnerability in gpsd allows attackers to trigger heap-based out-of-bounds writes by sending specially crafted NMEA2000 PGN 129540 packets with excessive satellite counts. This can lead to memory corruption, denial of service, and potentially remote code execution. Systems running vulnerable versions of gpsd that process NMEA2000 data are affected.

💻 Affected Systems

Products:
  • gpsd
Versions: All versions before commit dc966aa74c075d0a6535811d98628625cbfbe3f4
Operating Systems: Linux, Unix-like systems
Default Config Vulnerable: ⚠️ Yes
Notes: Only vulnerable when gpsd is configured to process NMEA2000 data streams

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with root privileges leading to complete system compromise

🟠

Likely Case

Denial of service causing gpsd service crashes and GPS functionality disruption

🟢

If Mitigated

Service disruption without privilege escalation if memory protections are in place

🌐 Internet-Facing: MEDIUM - Requires gpsd to be exposed to untrusted networks and processing NMEA2000 data
🏢 Internal Only: LOW - Typically gpsd runs locally and processes trusted GPS data sources

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires sending malformed NMEA2000 packets to gpsd's listening port

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Commit dc966aa74c075d0a6535811d98628625cbfbe3f4 and later

Vendor Advisory: https://github.com/ntpsec/gpsd/commit/dc966aa74c075d0a6535811d98628625cbfbe3f4

Restart Required: Yes

Instructions:

1. Update gpsd to latest version from official repository
2. Apply commit dc966aa74c075d0a6535811d98628625cbfbe3f4
3. Restart gpsd service

🔧 Temporary Workarounds

Disable NMEA2000 processing

linux

Configure gpsd to not process NMEA2000 data streams

Edit gpsd configuration to exclude NMEA2000 sources

Network isolation

linux

Restrict network access to gpsd service

iptables -A INPUT -p tcp --dport 2947 -j DROP
ufw deny 2947/tcp

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate gpsd from untrusted networks
  • Use application firewalls to filter NMEA2000 traffic to gpsd

🔍 How to Verify

Check if Vulnerable:

Check gpsd version and verify if commit dc966aa is present: git log --oneline | grep dc966aa

Check Version:

gpsd --version

Verify Fix Applied:

Verify the fix by checking the driver_nmea2000.c file for proper satellite count validation

📡 Detection & Monitoring

Log Indicators:

  • gpsd segmentation faults
  • gpsd service crashes
  • unusual memory allocation patterns

Network Indicators:

  • NMEA2000 PGN 129540 packets with satellite count > 184

SIEM Query:

process:gpsd AND (event_type:crash OR memory_violation)

📊 Metadata

CVE ID: CVE-2025-67268
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-122
Published: January 2, 2026
Last Updated: February 5, 2026

🤖 AI-assisted analysis, reviewed for accuracy

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-67268, you might also want to check these:

CVE-2026-20408 8.8

This CVE describes a heap buffer overflow vulnerability in wlan (wireless LAN) components that allow...

Same vulnerability type (CWE-122)
CVE-2026-1861 8.8

A heap buffer overflow vulnerability in libvpx video processing library in Google Chrome allows remo...

Same vulnerability type (CWE-122)
CVE-2025-46643 2.3

A heap-based buffer overflow vulnerability in Dell PowerProtect Data Domain with DD OS allows high-p...

Same vulnerability type (CWE-122)