CVE-2026-8087 - Vulnerability Analysis
MediumCVSS: 5.3Last Updated: May 8, 2026
OSGeo gdal - Buffer Overflow
Published: May 7, 2026Updated: May 8, 2026PoC Available
Overview
OSGeo gdal <= 3.13.0dev-4 contains a heap-based buffer overflow caused by manipulation of the DataFieldName argument in GDnentries function of frmts/hdf4/hdf-eos/GDapi.c, letting local attackers execute arbitrary code, exploit requires local access.
Severity & Score
Severity: Medium
CVSS Score: 5.3
Impact
Local attackers can execute arbitrary code by exploiting a heap-based buffer overflow, potentially leading to full system compromise.
Mitigation
Upgrade to version 3.13.0RC1 or later.
References
- https://github.com/OSGeo/gdal/issues/14363
- https://github.com/OSGeo/gdal/releases/tag/v3.13.0RC1
- https://github.com/biniamf/pocs/tree/main/gdal-gdinqfields_bof
- https://vuldb.com/submit/808039
- https://vuldb.com/vuln/361840
- https://vuldb.com/vuln/361840/cti
- https://github.com/OSGeo/gdal/
- https://github.com/OSGeo/gdal/commit/184f77dbcc74118c062c05e464c88161d3c37b9b
Related Resources
Details
- CVE ID
- CVE-2026-8087
- Severity
- Medium
- CVSS Score
- 5.3
- Type
- buffer_overflow
- Status
- confirmed
CWE
- CWE-119
CVSS Metrics
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L