CVE-2025-67269

NameCVE-2025-67269
DescriptionAn integer underflow vulnerability exists in the `nextstate()` function in `gpsd/packet.c` of gpsd versions prior to commit `ffa1d6f40bca0b035fc7f5e563160ebb67199da7`. When parsing a NAVCOM packet, the payload length is calculated using `lexer->length = (size_t)c - 4` without checking if the input byte `c` is less than 4. This results in an unsigned integer underflow, setting `lexer->length` to a very large value (near `SIZE_MAX`). The parser then enters a loop attempting to consume this massive number of bytes, causing 100% CPU utilization and a Denial of Service (DoS) condition.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1124799

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
gpsd (PTS)bullseye3.22-4vulnerable
bookworm3.22-4.1vulnerable
trixie3.25-5vulnerable
forky, sid3.27-1.1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
gpsdsource(unstable)(unfixed)1124799

Notes

[trixie] - gpsd <no-dsa> (Minor issue)
[bookworm] - gpsd <no-dsa> (Minor issue)
https://github.com/Jaenact/gspd_cve/blob/main/CVE-2025-67269/README.md
Fixed by: https://gitlab.com/gpsd/gpsd/-/commit/ffa1d6f40bca0b035fc7f5e563160ebb67199da7 (release-3.27.1)
Search for package or bug name: Reporting problems