CVE-2026-33147 - Vulnerability Details

- GMT: Stack-based Buffer Overflow in gmt_remote_dataset_id

Description

GMT is an open source collection of command-line tools for manipulating geographic and Cartesian data sets. In versions from 6.6.0 and prior, a stack-based buffer overflow vulnerability was identified in the gmt_remote_dataset_id function within src/gmt_remote.c. This issue occurs when a specially crafted long string is passed as a dataset identifier (e.g., via the which module), leading to a crash or potential arbitrary code execution. This issue has been patched via commit 0ad2b49.

Published: 2026-03-20

Score: 7.3 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

GMT versions 6.6.0 and earlier have a stack-based buffer overflow in the gmt_remote_dataset_id function in src/gmt_remote.c. An attacker who supplies an unusually long dataset identifier string—such as via the which module—can trigger the overflow, potentially corrupting the stack and leading to a crash or arbitrary code execution. This weakness is classified as CWE-121, indicating improper buffer bounds handling.

Affected Systems

The vulnerability affects the GenericMappingTools GMT command‑line suite. All releases up to and including version 6.6.0 are impacted. Systems that run these older GMT binaries and process dataset identifiers derived from external input are susceptible.

Risk and Exploitability

The CVSS score of 7.3 indicates high severity, while the EPSS score of less than 1% suggests a low probability of exploitation at present. The issue is not listed in CISA’s KEV catalog. Based on the description, the attack vector is inferred to be local, requiring the attacker to execute GMT with crafted input or have some form of local or privileged access to trigger the overflow.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

GenericMappingTools

gmt

affected

Version	Status	Constraints
`<= 6.6.0`	affected	—

Configuration 1 [-]

cpe:2.3:a:generic-mapping-tools:gmt:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Genericmappingtools

Gmt

100%

Version	Status	Scheme	Platform
`[0,6.6.0]`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update GMT to a patched release that implements commit 0ad2b49 or later.
If an upgrade is not immediately possible, ensure that any dataset identifier passed to gmt_remote_dataset_id is validated or sanitized to prevent excessively long strings from being accepted.
Monitor system logs for unexpected crashes or signs of stack corruption that might indicate exploitation attempts.

Generated by OpenCVE AI on March 28, 2026 at 05:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00012.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/GenericMappingTools/gmt/commit/0ad2b491470df82c9ec1139dcbd70502fa28a082
https://github.com/GenericMappingTools/gmt/security/advisories/GHSA-fqxx-62x7-9gwg

History

Sat, 28 Mar 2026 03:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Generic-mapping-tools Generic-mapping-tools gmt
CPEs		cpe:2.3:a:generic-mapping-tools:gmt::::::::
Vendors & Products		Generic-mapping-tools Generic-mapping-tools gmt

Fri, 27 Mar 2026 05:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 23 Mar 2026 10:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Genericmappingtools Genericmappingtools gmt
Vendors & Products		Genericmappingtools Genericmappingtools gmt

Fri, 20 Mar 2026 20:30:00 +0000

Type	Values Removed	Values Added
Description		GMT is an open source collection of command-line tools for manipulating geographic and Cartesian data sets. In versions from 6.6.0 and prior, a stack-based buffer overflow vulnerability was identified in the gmt_remote_dataset_id function within src/gmt_remote.c. This issue occurs when a specially crafted long string is passed as a dataset identifier (e.g., via the which module), leading to a crash or potential arbitrary code execution. This issue has been patched via commit 0ad2b49.
Title		GMT: Stack-based Buffer Overflow in gmt_remote_dataset_id
Weaknesses		CWE-121
References		https://github.com/GenericMappingTools/gmt/commit/0ad2b491470df82c9ec1139dcbd70502fa28a082 https://github.com/GenericMappingTools/gmt/security/advisories/GHSA-fqxx-62x7-9gwg
Metrics		cvssV3_1 `{'score': 7.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H'}`

Subscriptions

Generic-mapping-tools Gmt

Genericmappingtools Gmt

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-03-20T20:10:28.066Z

Updated: 2026-03-25T13:56:20.930Z

Reserved: 2026-03-17T21:17:08.884Z

Link: CVE-2026-33147

Vulnrichment

Updated: 2026-03-25T13:56:12.581Z

NVD

Status : Analyzed

Published: 2026-03-20T21:17:15.243

Modified: 2026-03-27T21:07:19.390

Link: CVE-2026-33147

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-29T20:28:55Z

Weaknesses

CWE-121

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact High

User Interaction None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object