Description
A vulnerability was determined in OSGeo gdal up to 3.13.0dev-4. This vulnerability affects the function memmove of the file frmts/hdf4/hdf-eos/SWapi.c of the component HDF-EOS Grid File Handler. This manipulation causes out-of-bounds read. The attack is restricted to local execution. The exploit has been publicly disclosed and may be utilized. Upgrading to version 3.13.0RC1 is able to resolve this issue. Patch name: a791f70f8eaec540974ec989ca6fb00266b7646c. Upgrading the affected component is advised.
Published: 2026-05-07
Score: 4.8 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A buffer handling issue in the HDF‑EOS Grid File Handler of OSGeo GDAL causes an out‑of‑bounds read when processing HDF‑EOS Grid files. This flaw can expose memory contents and potentially reveal sensitive information. The weakness is classified as CWE‑119 and CWE‑125.

Affected Systems

The vulnerability affects all installed copies of OSGeo GDAL up to version 3.13.0dev‑4. The documented fix is included in release 3.13.0RC1 and later, so systems running any earlier version should be updated.

Risk and Exploitability

The CVSS score of 4.8 indicates moderate severity. Because the exploit is limited to local execution and the EPSS score is not available, the likelihood of widespread exploitation is low, and the vulnerability is not listed in the CISA KEV catalog. Even so, any local attacker that can place malicious HDF‑EOS Grid files on the system could exploit the out‑of‑bounds read and potentially gain access to privileged data. Upgrading the vulnerable component or otherwise removing the affected code path mitigates the risk.

Generated by OpenCVE AI on May 7, 2026 at 21:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OSGeo GDAL to version 3.13.0RC1 or newer, which contains the patch that removes the unsafe memmove call.
  • If the HDF‑EOS Grid file handler is not required in your environment, disable or remove that component to eliminate the vulnerable code path.
  • Restrict file permissions so that only trusted users can create or modify HDF‑EOS Grid files, limiting the local attack surface.

Generated by OpenCVE AI on May 7, 2026 at 21:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 07 May 2026 19:00:00 +0000

Type Values Removed Values Added
Description A vulnerability was determined in OSGeo gdal up to 3.13.0dev-4. This vulnerability affects the function memmove of the file frmts/hdf4/hdf-eos/SWapi.c of the component HDF-EOS Grid File Handler. This manipulation causes out-of-bounds read. The attack is restricted to local execution. The exploit has been publicly disclosed and may be utilized. Upgrading to version 3.13.0RC1 is able to resolve this issue. Patch name: a791f70f8eaec540974ec989ca6fb00266b7646c. Upgrading the affected component is advised.
Title OSGeo gdal HDF-EOS Grid File SWapi.c memmove out-of-bounds
First Time appeared Osgeo
Osgeo gdal
Weaknesses CWE-119
CWE-125
CPEs cpe:2.3:a:osgeo:gdal:*:*:*:*:*:*:*:*
Vendors & Products Osgeo
Osgeo gdal
References
Metrics cvssV2_0

{'score': 1.7, 'vector': 'AV:L/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 3.3, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 3.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Osgeo Gdal
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-07T18:30:13.275Z

Reserved: 2026-05-07T12:21:31.524Z

Link: CVE-2026-8084

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-07T19:16:02.950

Modified: 2026-05-07T19:48:50.543

Link: CVE-2026-8084

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T21:15:11Z

Weaknesses