CVE-2026-8088

NameCVE-2026-8088
DescriptionA weakness has been identified in OSGeo gdal up to 3.13.0dev-4. The affected element is the function GDfieldinfo of the file frmts/hdf4/hdf-eos/GDapi.c. Executing a manipulation can lead to out-of-bounds read. The attack needs to be launched locally. The exploit has been made available to the public and could be used for attacks. Upgrading to version 3.13.0RC1 is sufficient to fix this issue. This patch is called a791f70f8eaec540974ec989ca6fb00266b7646c. The affected component should be upgraded.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1135997

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
gdal (PTS)bullseye (security), bullseye3.2.2+dfsg-2+deb11u2vulnerable
bookworm3.6.2+dfsg-1vulnerable
trixie3.10.3+dfsg-1vulnerable
forky, sid3.12.3+dfsg-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
gdalsource(unstable)(unfixed)1135997

Notes

https://github.com/OSGeo/gdal/commit/a791f70f8eaec540974ec989ca6fb00266b7646c (v3.13.0RC1)
https://github.com/OSGeo/gdal/issues/14379
Search for package or bug name: Reporting problems