Description
A weakness has been identified in OSGeo gdal up to 3.13.0dev-4. The affected element is the function GDfieldinfo of the file frmts/hdf4/hdf-eos/GDapi.c. Executing a manipulation can lead to out-of-bounds read. The attack needs to be launched locally. The exploit has been made available to the public and could be used for attacks. Upgrading to version 3.13.0RC1 is sufficient to fix this issue. This patch is called a791f70f8eaec540974ec989ca6fb00266b7646c. The affected component should be upgraded.
Published: 2026-05-07
Score: 4.8 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A buffer overflow condition resides in the GDfieldinfo function of the GDapi.c file within OSGeo GDAL, affecting all releases up to 3.13.0dev-4. The flaw permits an out-of-bounds read of memory, exposing data that resides beyond the intended buffer boundaries. The vulnerability is an example of the classic input validation error (CWE‑119) and an unchecked array access (CWE‑125). If triggered, the result may be the disclosure of sensitive information or the destabilisation of the process that runs GDAL.

Affected Systems

All installations of OSGeo GDAL with a version equal to or less than 3.13.0dev-4 are vulnerable. The fix is included in release 3.13.0RC1, so updating to that version or any newer release will eliminate the flaw.

Risk and Exploitability

The CVSS score of 4.8 places the vulnerability in the medium severity range. No EPSS data is supplied and the vulnerability is not listed in the CISA KEV catalog, suggesting there are no widespread public exploits yet. Nonetheless, the exploit requires local execution, which makes it pertinent for environments that run GDAL on untrusted input or from users with local access rights. The publicly available proof‑of‑concept indicates that an attacker who can execute code on the host can trigger the read, potentially exposing or corrupting data handled by GDAL.

Generated by OpenCVE AI on May 7, 2026 at 21:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OSGeo GDAL to 3.13.0RC1 or later.
  • Restart any services or processes that use GDAL so the updated library is loaded.
  • If the environment permits local execution by non‑privileged users, restrict or remove such permissions and ensure GDAL inputs are validated before use.

Generated by OpenCVE AI on May 7, 2026 at 21:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 07 May 2026 20:00:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in OSGeo gdal up to 3.13.0dev-4. The affected element is the function GDfieldinfo of the file frmts/hdf4/hdf-eos/GDapi.c. Executing a manipulation can lead to out-of-bounds read. The attack needs to be launched locally. The exploit has been made available to the public and could be used for attacks. Upgrading to version 3.13.0RC1 is sufficient to fix this issue. This patch is called a791f70f8eaec540974ec989ca6fb00266b7646c. The affected component should be upgraded.
Title OSGeo gdal GDapi.c GDfieldinfo out-of-bounds
First Time appeared Osgeo
Osgeo gdal
Weaknesses CWE-119
CWE-125
CPEs cpe:2.3:a:osgeo:gdal:*:*:*:*:*:*:*:*
Vendors & Products Osgeo
Osgeo gdal
References
Metrics cvssV2_0

{'score': 1.7, 'vector': 'AV:L/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 3.3, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 3.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Osgeo Gdal
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-07T19:30:11.704Z

Reserved: 2026-05-07T12:34:26.732Z

Link: CVE-2026-8088

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-07T20:16:45.510

Modified: 2026-05-07T20:32:03.640

Link: CVE-2026-8088

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T22:00:12Z

Weaknesses