CVE-2025-67269

EUVD-2026-0658
An integer underflow vulnerability exists in the `nextstate()` function in `gpsd/packet.c` of gpsd versions prior to commit `ffa1d6f40bca0b035fc7f5e563160ebb67199da7`. When parsing a NAVCOM packet, the payload length is calculated using `lexer->length = (size_t)c - 4` without checking if the input byte `c` is less than 4. This results in an unsigned integer underflow, setting `lexer->length` to a very large value (near `SIZE_MAX`). The parser then enters a loop attempting to consume this massive number of bytes, causing 100% CPU utilization and a Denial of Service (DoS) condition.
Wrap or Wraparound
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CISA-ADPADP
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 33%
Affected Products (NVD)
VendorProductVersion
gpsd_projectgpsd
𝑥
< 3.27.1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
gpsd
bookworm
no-dsa
bullseye
vulnerable
bullseye (security)
3.22-4+deb11u1
fixed
forky
3.27.5-0.1
fixed
sid
3.27.5-0.1
fixed
trixie
no-dsa
Common Weakness Enumeration
References
https://github.com/Jaenact/gspd_cve/blob/main/CVE-2025-67269/README.md
https://gitlab.com/gpsd/gpsd
https://gitlab.com/gpsd/gpsd/-/commit/ffa1d6f40bca0b035fc7f5e563160ebb67199da7