CVE-2026-33147

EUVD-2026-13784

20.03.2026, 21:17

GMT is an open source collection of command-line tools for manipulating geographic and Cartesian data sets. In versions from 6.6.0 and prior, a stack-based buffer overflow vulnerability was identified in the gmt_remote_dataset_id function within src/gmt_remote.c. This issue occurs when a specially crafted long string is passed as a dataset identifier (e.g., via the which module), leading to a crash or potential arbitrary code execution. This issue has been patched via commit 0ad2b49.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.3 HIGH	LOCAL	LOW	NONE	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
GitHub_M	CNA	7.3 HIGH	LOCAL	LOW	NONE	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Affected Products (NVD)

Vendor	Product	Version
generic-mapping-tools	gmt	𝑥 ≤ 6.6.0

𝑥

= Vulnerable software versions

Known Exploits!

Common Weakness Enumeration

CWE-121 - Stack-based Buffer Overflow
A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).

References

https://github.com/GenericMappingTools/gmt/commit/0ad2b491470df82c9ec1139dcbd70502fa28a082

https://github.com/GenericMappingTools/gmt/security/advisories/GHSA-fqxx-62x7-9gwg