{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2025-67269", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-01-06T17:40:49.246Z", "dateReserved": "2025-12-08T00:00:00.000Z", "datePublished": "2026-01-02T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-01-02T15:49:05.691Z"}, "descriptions": [{"lang": "en", "value": "An integer underflow vulnerability exists in the `nextstate()` function in `gpsd/packet.c` of gpsd versions prior to commit `ffa1d6f40bca0b035fc7f5e563160ebb67199da7`. When parsing a NAVCOM packet, the payload length is calculated using `lexer->length = (size_t)c - 4` without checking if the input byte `c` is less than 4. This results in an unsigned integer underflow, setting `lexer->length` to a very large value (near `SIZE_MAX`). The parser then enters a loop attempting to consume this massive number of bytes, causing 100% CPU utilization and a Denial of Service (DoS) condition."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://gitlab.com/gpsd/gpsd/-/commit/ffa1d6f40bca0b035fc7f5e563160ebb67199da7"}, {"url": "https://gitlab.com/gpsd/gpsd"}, {"url": "https://github.com/Jaenact/gspd_cve/blob/main/CVE-2025-67269/README.md"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-191", "lang": "en", "description": "CWE-191 Integer Underflow (Wrap or Wraparound)"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-01-06T16:37:07.630167Z", "id": "CVE-2025-67269", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-06T17:40:49.246Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-67269", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-06T16:37:07.630167Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-191", "description": "CWE-191 Integer Underflow (Wrap or Wraparound)"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-06T16:43:01.964Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://gitlab.com/gpsd/gpsd/-/commit/ffa1d6f40bca0b035fc7f5e563160ebb67199da7"}, {"url": "https://gitlab.com/gpsd/gpsd"}, {"url": "https://github.com/Jaenact/gspd_cve/blob/main/CVE-2025-67269/README.md"}], "descriptions": [{"lang": "en", "value": "An integer underflow vulnerability exists in the `nextstate()` function in `gpsd/packet.c` of gpsd versions prior to commit `ffa1d6f40bca0b035fc7f5e563160ebb67199da7`. When parsing a NAVCOM packet, the payload length is calculated using `lexer->length = (size_t)c - 4` without checking if the input byte `c` is less than 4. This results in an unsigned integer underflow, setting `lexer->length` to a very large value (near `SIZE_MAX`). The parser then enters a loop attempting to consume this massive number of bytes, causing 100% CPU utilization and a Denial of Service (DoS) condition."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-01-02T15:49:05.691Z"}}}, "cveMetadata": {"cveId": "CVE-2025-67269", "state": "PUBLISHED", "dateUpdated": "2026-01-06T17:40:49.246Z", "dateReserved": "2025-12-08T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-01-02T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gpsd_project:gpsd:*:*:*:*:*:*:*:*", "matchCriteriaId": "8CBC8583-D71F-4E6F-AB7D-51A3C15270B9", "versionEndExcluding": "3.27.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An integer underflow vulnerability exists in the `nextstate()` function in `gpsd/packet.c` of gpsd versions prior to commit `ffa1d6f40bca0b035fc7f5e563160ebb67199da7`. When parsing a NAVCOM packet, the payload length is calculated using `lexer->length = (size_t)c - 4` without checking if the input byte `c` is less than 4. This results in an unsigned integer underflow, setting `lexer->length` to a very large value (near `SIZE_MAX`). The parser then enters a loop attempting to consume this massive number of bytes, causing 100% CPU utilization and a Denial of Service (DoS) condition."}], "id": "CVE-2025-67269", "lastModified": "2026-01-09T22:07:39.427", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-01-02T16:17:01.100", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/Jaenact/gspd_cve/blob/main/CVE-2025-67269/README.md"}, {"source": "cve@mitre.org", "tags": ["Product"], "url": "https://gitlab.com/gpsd/gpsd"}, {"source": "cve@mitre.org", "tags": ["Patch"], "url": "https://gitlab.com/gpsd/gpsd/-/commit/ffa1d6f40bca0b035fc7f5e563160ebb67199da7"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-191"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "gpsd: gpsd: Denial of Service due to malformed NAVCOM packet parsing", "id": "2426810", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2426810"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-191", "details": ["A flaw was found in gpsd. A remote attacker can exploit this vulnerability by sending a specially crafted NAVCOM packet. When parsing the packet, an error in calculating the payload length can cause the system to attempt to process an extremely large amount of data. This leads to excessive CPU utilization, resulting in a Denial of Service (DoS) condition where the system becomes unresponsive."], "mitigation": {"lang": "en:us", "value": "No mitigation is currently available that meets Red Hat Product Security\u2019s standards for usability, deployment, applicability, or stability.\nExposure can be reduced by restricting gpsd from listening on network sockets, limiting input sources to trusted serial devices only, and ensuring the service is not accessible from untrusted networks. Deployments that do not require NAVCOM packet support should consider disabling or filtering such input where possible to further minimize risk."}, "name": "CVE-2025-67269", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "gpsd", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "gpsd-minimal", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-01-02T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-67269\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-67269\nhttps://github.com/Jaenact/gspd_cve/blob/main/CVE-2025-67269/README.md\nhttps://gitlab.com/gpsd/gpsd\nhttps://gitlab.com/gpsd/gpsd/-/commit/ffa1d6f40bca0b035fc7f5e563160ebb67199da7"], "statement": "This vulnerability is rated Important for Red Hat because gpsd is susceptible to a remote denial-of-service condition triggered through malformed NAVCOM packets processed from untrusted input sources. A specially crafted packet can induce an unsigned integer underflow during packet length calculation in the NAVCOM parsing state machine, resulting in an excessively large length value and causing the parser to enter a non-terminating read state. Although the flaw does not directly lead to memory corruption, its severity is elevated because it affects a core parsing path that continuously processes streaming input and can be exploited with a single malformed packet, without authentication or sustained attacker interaction. The resulting sustained 100% CPU utilization renders the gpsd service unresponsive to all dependent clients, impacting system functionality wherever gpsd is exposed to network-based inputs or externally influenced serial devices.", "threat_severity": "Important"}

{"created": "2026-01-05T12:25:11.298159+00:00", "updated": "2026-01-05T12:25:11.298225+00:00", "vendors": ["gpsd_project", "gpsd_project$PRODUCT$gpsd"]}