CVE-2026-49014

NameCVE-2026-49014
DescriptionIn GDAL 3.1.0 through 3.13.0, scanForGeometryContainers in the netCDF driver allows code execution via a stack-based buffer overflow. It reads a geometry attribute into a fixed-size stack buffer without validating the attribute length. The attacker embeds the exploit as an oversized geometry attribute in a crafted NetCDF file. This achieves arbitrary code execution on the server running GDAL. This is in frmts/netcdf/netcdfsg.cpp.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
gdal (PTS)bullseye (security), bullseye3.2.2+dfsg-2+deb11u2vulnerable
bookworm3.6.2+dfsg-1vulnerable
trixie3.10.3+dfsg-1vulnerable
forky, sid3.13.1+dfsg-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
gdalsource(unstable)3.13.1+dfsg-1

Notes

[trixie] - gdal <no-dsa> (Minor issue)
[bookworm] - gdal <no-dsa> (Minor issue)
https://github.com/OSGeo/gdal/issues/14594
https://github.com/OSGeo/gdal/pull/14598
Fixed by: https://github.com/OSGeo/gdal/commit/c49254dc6380af2f02ff43ca79e3cf7c1bc82f01
Fixed by: https://github.com/OSGeo/gdal/commit/50eea7456d83c9586f112ef96b43249372839dea (v3.13.1RC1)
Search for package or bug name: Reporting problems