CVE-2026-8088

LOW

OSGeo gdal GDapi.c GDfieldinfo out-of-bounds

Title source: cna

Description

A weakness has been identified in OSGeo gdal up to 3.13.0dev-4. The affected element is the function GDfieldinfo of the file frmts/hdf4/hdf-eos/GDapi.c. Executing a manipulation can lead to out-of-bounds read. The attack needs to be launched locally. The exploit has been made available to the public and could be used for attacks. Upgrading to version 3.13.0RC1 is sufficient to fix this issue. This patch is called a791f70f8eaec540974ec989ca6fb00266b7646c. The affected component should be upgraded.

References (8)

Core 8

Core References

Product product

https://github.com/OSGeo/gdal/

Vdb Entry, Technical Description vdb-entry technical-description

VDB-361841 | OSGeo gdal GDapi.c GDfieldinfo out-of-bounds

https://vuldb.com/vuln/361841

Signature, Permissions Required signature permissions-required

VDB-361841 | CTI Indicators (IOB, IOC, IOA)

https://vuldb.com/vuln/361841/cti

Third Party Advisory third-party-advisory

Submit #808040 | OSGeo GDAL 3.13.0dev Out-of-Bounds Read

https://vuldb.com/submit/808040

Issue Tracking issue-tracking

https://github.com/OSGeo/gdal/issues/14379

Exploit exploit

https://github.com/biniamf/pocs/tree/main/gdal-gdapi-gdfinfo-dimlist-oob-read

View Exploit ZIP pw:eip

Patch patch

https://github.com/OSGeo/gdal/commit/a791f70f8eaec540974ec989ca6fb00266b7646c

View Patch ZIP pw:eip

Patch patch

https://github.com/OSGeo/gdal/releases/tag/v3.13.0RC1

Scores

CVSS v3 3.3

EPSS 0.0001

EPSS Percentile 1.5%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-119 CWE-125

Status published

Products (5)

osgeo/gdal 3.13.0 beta1 (2 CPE variants)

osgeo/gdal < 3.12.4

OSGeo/gdal 3.13.0RC1

OSGeo/gdal 3.13.0dev-4

pypi/GDAL 0 - 3.13.0PyPI

Published May 07, 2026

Tracked Since May 08, 2026