Description
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in OSGeo gdal (frmts/zlib/contrib/infback9 modules). This vulnerability is associated with program files inftree9.C‎.

This issue affects gdal: before 3.11.0.
Published: 2026-03-24
Score: 9.4 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability arises from an improper restriction of operations within the bounds of a memory buffer in OSGeo GDAL, specifically within the frmts/zlib/contrib/infback9 modules. The flaw originates in the inftree9.c file, where a pointer offset optimization leads to undefined behavior. An attacker can trigger this error to corrupt heap memory, potentially escalating to remote code execution. This weakness aligns with CWE‑119, which involves buffer overflow or underflow attacks.

Affected Systems

OSGeo GDAL releases prior to version 3.11.0 are affected by this flaw. The vulnerability impacts the zlib decompression component within GDAL, especially the inftree9.c module. Administrators should check all installations running GDAL below 3.11.0 to determine exposure.

Risk and Exploitability

The CVSS score of 9.4 indicates critical severity, though direct exploit evidence is not documented in the current advisory. The vulnerability is not yet listed in CISA’s KEV catalog, and no EPSS value is available. Likely exploitation would involve feeding a crafted zlib stream to GDAL’s decompression routine, causing the undefined behavior and enabling remote code execution. Because the flaw resides in a widely used geospatial library, the potential impact spans any system that processes untrusted geospatial data.

Generated by OpenCVE AI on March 24, 2026 at 04:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade GDAL to version 3.11.0 or newer.
  • If an immediate upgrade is not possible, limit GDAL processing to trusted inputs and monitor for unusual activity.
  • Verify the GDAL version on all systems and apply any available vendor patches.

Generated by OpenCVE AI on March 24, 2026 at 04:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://github.com/OSGeo/gdal/pull/12244 cve-icon cve-icon
History

Tue, 24 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Osgeo
Osgeo gdal
Vendors & Products Osgeo
Osgeo gdal

Tue, 24 Mar 2026 03:30:00 +0000

Type Values Removed Values Added
Description Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in OSGeo gdal (frmts/zlib/contrib/infback9 modules). This vulnerability is associated with program files inftree9.C‎. This issue affects gdal: before 3.11.0.
Title GDAL Bundled zlib (inftree9.c) Pointer Offset Optimization Undefined Behavior Allows Heap Corruption or Remote Code Execution
Weaknesses CWE-119
References
Metrics cvssV4_0

{'score': 9.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:A/S:P/AU:Y/R:U/V:C/RE:L/U:Amber'}

Subscriptions

Osgeo Gdal
cve-icon MITRE

Status: PUBLISHED

Assigner: GovTech CSG

Published:

Updated: 2026-03-24T14:35:23.904Z

Reserved: 2026-03-24T03:17:53.186Z

Link: CVE-2026-4738

cve-icon Vulnrichment

Updated: 2026-03-24T14:35:20.937Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-24T04:17:29.000

Modified: 2026-03-24T15:53:48.067

Link: CVE-2026-4738

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T20:40:19Z

Weaknesses