CVE-2025-67268

CVE-2025-67268 is a heap-based out-of-bounds write vulnerability in gpsd versions prior to commit dc966aa. The issue resides in the drivers/driver_nmea2000.c file, specifically within the hnd_129540 function that processes NMEA2000 PGN 129540 (GNSS Satellites in View) packets. This function does not properly validate the user-supplied satellite count—limited to a maximum of 255—against the fixed size of the skyview array, which holds only 184 elements. Sending a crafted packet with a satellite count exceeding 184 triggers an out-of-bounds write, resulting in memory corruption. The vulnerability is rated with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-122 (Heap-based Buffer Overflow).

An unauthenticated remote attacker can exploit this vulnerability by transmitting specially crafted NMEA2000 packets to a gpsd instance listening on an affected interface. No privileges, user interaction, or special access are required, making it highly accessible over the network with low complexity. Successful exploitation leads to memory corruption, enabling denial of service (DoS) through crashes or resource exhaustion, and potentially arbitrary code execution if the corruption allows control over execution flow.

Mitigation is available via the fixing commit dc966aa74c075d0a6535811d98628625cbfbe3f4 in the ntpsec/gpsd repository, which addresses the validation flaw in driver_nmea2000.c. Security practitioners should update gpsd to a version incorporating this commit and review deployments for exposure to NMEA2000 traffic sources. Additional details are provided in the advisory at the Jaenact/gspd_cve repository README for CVE-2025-67268.