Description
A flaw has been found in OSGeo gdal up to 3.13.0dev-4. Affected by this vulnerability is the function SWSDfldsrch of the file frmts/hdf4/hdf-eos/SWapi.c. Executing a manipulation can lead to heap-based buffer overflow. The attack requires local access. The exploit has been published and may be used. Upgrading to version 3.13.0RC1 addresses this issue. This patch is called 3e04c0385630e4d42517046d9a4967dfccfeb7fd. The affected component should be upgraded.
Published: 2026-05-09
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw resides in the SWSDfldsrch function of OSGeo GDAL, where improper bounds checking causes a heap-based buffer overflow. This overflow can corrupt adjacent memory, potentially leading to arbitrary code execution or application crashes. The weakness maps to CWE-119 and CWE-122.

Affected Systems

OSGeo GDAL versions up to and including 3.13.0dev-4 are vulnerable; upgrading to 3.13.0RC1 or later resolves the issue by applying the commit that fixes the overflow.

Risk and Exploitability

The CVSS score of 4.8 indicates medium severity. No EPSS data is available, and the vulnerability is not listed in CISA KEV. Because local access is required and an exploit has already been published, operators with local privileges must act promptly to mitigate the risk of local code execution or denial of service.

Generated by OpenCVE AI on May 9, 2026 at 23:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade GDAL to 3.13.0RC1 or any later release that includes the security fix.
  • Configure the operating system to run GDAL processes with the least privileges necessary and deny write access to directories containing untrusted data to reduce the chance that an attacker can execute the vulnerable function.
  • If the SWSDfldsrch functionality is not required, disable or remove its usage in application workflows to eliminate the attack surface.

Generated by OpenCVE AI on May 9, 2026 at 23:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 09 May 2026 22:45:00 +0000

Type Values Removed Values Added
Description A flaw has been found in OSGeo gdal up to 3.13.0dev-4. Affected by this vulnerability is the function SWSDfldsrch of the file frmts/hdf4/hdf-eos/SWapi.c. Executing a manipulation can lead to heap-based buffer overflow. The attack requires local access. The exploit has been published and may be used. Upgrading to version 3.13.0RC1 addresses this issue. This patch is called 3e04c0385630e4d42517046d9a4967dfccfeb7fd. The affected component should be upgraded.
Title OSGeo gdal SWapi.c SWSDfldsrch heap-based overflow
First Time appeared Osgeo
Osgeo gdal
Weaknesses CWE-119
CWE-122
CPEs cpe:2.3:a:osgeo:gdal:*:*:*:*:*:*:*:*
Vendors & Products Osgeo
Osgeo gdal
References
Metrics cvssV2_0

{'score': 4.3, 'vector': 'AV:L/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 5.3, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Osgeo Gdal
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-09T22:30:12.527Z

Reserved: 2026-05-09T07:09:13.290Z

Link: CVE-2026-8212

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-09T23:16:33.113

Modified: 2026-05-09T23:16:33.113

Link: CVE-2026-8212

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-10T05:30:04Z

Weaknesses