The vulnerability is a stack buffer overflow caused by kosma minmea 0.3.0’s minmea_scan functions copying NMEA field data to caller-provided buffers without a size parameter. The overflow allows an attacker to overwrite stack memory and corrupt control‑flow data or inject executable bytes. Based on the description, it is inferred that an attacker who can supply crafted NMEA payloads may achieve arbitrary code execution, a classic CWE‑121 stack‑based buffer overflow. This flaw directly threatens confidentiality, integrity, and availability of applications that process untrusted NMEA input.

Affected systems include any software that links against kosma minmea 0.3.0 and accepts NMEA messages from external or untrusted sources. Because no specific vendor or product line is enumerated, any application using this library version for parsing GPS or navigation data is potentially at risk.

The CVSS score is 7.5 and EPSS is not available, but the nature of the overflow suggests a high severity potential. The flaw is not currently listed in CISA KEV. Because the buffer copy is unchecked, an attacker can supply malformed NMEA data over any interface that forwards such messages, such as satellite receivers, GPS modules, or networked parsing services. The lack of bounds checking makes exploitation feasible for a skilled attacker and therefore represents a high‑risk vulnerability with a likely remote attack vector.