Primary

Context

OSGeo GDAL Heap-Based Buffer Overflow Vulnerability in HDF4-EOS SWSDfldsrch Function

Vulnerability

Patched

A heap-based buffer overflow vulnerability has been identified in OSGeo GDAL versions through 3.13.0dev-4. The issue arises in the HDF4-EOS handling, specifically within the SWSDfldsrch function of the SWapi.c file. The vulnerability is triggered by an unsigned underflow in the quote-stripping process, which can be exploited to read an excessive amount of data from the stack, leading to a crash. This vulnerability requires local access to exploit.

Impact

Exploitation of this vulnerability causes a denial-of-service condition by crashing the application.

Reproduction

The vulnerability can be reproduced using the 'gdalmdiminfo' command-line tool with a crafted HDF-EOS swath file that triggers the out-of-bounds read. The AddressSanitizer (ASan) can be used to detect the memory corruption caused by the vulnerability.

Remediation

Users are advised to upgrade to OSGeo GDAL version 3.13.0RC1, which addresses this vulnerability.

Added: May 9, 2026, 11:19 PM

Updated: May 9, 2026, 11:19 PM

Vulnerability Rating

Custom Algorithm

spread

6.6

impact

1.3

exploitability

4.6

remediation

7.7

relevance

7.8

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

6.6

impact

1.3

exploitability

4.6

remediation

7.7

relevance

7.8

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

OSGeo GDAL Heap-Based Buffer Overflow Vulnerability in HDF4-EOS SWSDfldsrch Function

Vulnerability

Impact

Reproduction

Remediation

Affected Products

OSGeo gdal

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating