Description
A vulnerability has been found in OSGeo gdal up to 3.13.0dev-4. Affected by this issue is the function GDSDfldsrch of the file frmts/hdf4/hdf-eos/GDapi.c of the component Grid File Handler. The manipulation leads to heap-based buffer overflow. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. Upgrading to version 3.13.0RC1 can resolve this issue. The identifier of the patch is 3e04c0385630e4d42517046d9a4967dfccfeb7fd. It is suggested to upgrade the affected component.
Published: 2026-05-09
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A heap-based buffer overflow occurs in GDapi.c's GDSDfldsrch function when processing Grid File data. This flaw can allow an attacker with local execution rights to corrupt memory and potentially hijack execution flow, leading to arbitrary code execution or denial of service. The weakness corresponds to CWE-119 and CWE-122.

Affected Systems

The vulnerability affects OSGeo GDAL versions up to and including 3.13.0dev‑4. The affected component is the Grid File Handler used when reading certain HDF4/HDF‑EOS files. The vendor has released a patch in version 3.13.0RC1, identified by commit 3e04c0385630e4d42517046d9a4967dfccfeb7fd. Systems running any earlier GDAL release are susceptible.

Risk and Exploitability

The CVSS score of 4.8 indicates a moderate severity; the exploit is local only, so the risk is limited to machines where an attacker can run code. EPSS is not available, so current exploit probability cannot be quantified, and the vulnerability is not listed in CISA’s KEV catalog. The public disclosure means the flaw is known to attackers, and with sufficient local access the overflow is straightforward to trigger.

Generated by OpenCVE AI on May 10, 2026 at 00:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade GDAL to version 3.13.0RC1 or later.
  • If an upgrade is not immediately feasible, restrict the ability of local users to invoke GDAL on untrusted data.
  • Monitor logs for evidence of buffer overflow attempts or anomalous crashes.

Generated by OpenCVE AI on May 10, 2026 at 00:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 09 May 2026 23:15:00 +0000

Type Values Removed Values Added
Description A vulnerability has been found in OSGeo gdal up to 3.13.0dev-4. Affected by this issue is the function GDSDfldsrch of the file frmts/hdf4/hdf-eos/GDapi.c of the component Grid File Handler. The manipulation leads to heap-based buffer overflow. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. Upgrading to version 3.13.0RC1 can resolve this issue. The identifier of the patch is 3e04c0385630e4d42517046d9a4967dfccfeb7fd. It is suggested to upgrade the affected component.
Title OSGeo gdal Grid File GDapi.c GDSDfldsrch heap-based overflow
First Time appeared Osgeo
Osgeo gdal
Weaknesses CWE-119
CWE-122
CPEs cpe:2.3:a:osgeo:gdal:*:*:*:*:*:*:*:*
Vendors & Products Osgeo
Osgeo gdal
References
Metrics cvssV2_0

{'score': 4.3, 'vector': 'AV:L/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 5.3, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Osgeo Gdal
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-09T23:00:17.283Z

Reserved: 2026-05-09T07:09:26.613Z

Link: CVE-2026-8213

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-09T23:16:33.290

Modified: 2026-05-09T23:16:33.290

Link: CVE-2026-8213

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-10T01:30:45Z

Weaknesses