CVE-2026-8212

NameCVE-2026-8212
DescriptionA flaw has been found in OSGeo gdal up to 3.13.0dev-4. Affected by this vulnerability is the function SWSDfldsrch of the file frmts/hdf4/hdf-eos/SWapi.c. Executing a manipulation can lead to heap-based buffer overflow. The attack requires local access. The exploit has been published and may be used. Upgrading to version 3.13.0RC1 addresses this issue. This patch is called 3e04c0385630e4d42517046d9a4967dfccfeb7fd. The affected component should be upgraded.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
gdal (PTS)bullseye (security), bullseye3.2.2+dfsg-2+deb11u2vulnerable
bookworm3.6.2+dfsg-1vulnerable
trixie3.10.3+dfsg-1vulnerable
forky, sid3.13.1+dfsg-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
gdalsource(unstable)3.13.0+dfsg-1

Notes

[trixie] - gdal <no-dsa> (Minor issue)
[bookworm] - gdal <no-dsa> (Minor issue)
https://github.com/OSGeo/gdal/issues/14398
https://github.com/OSGeo/gdal/commit/3e04c0385630e4d42517046d9a4967dfccfeb7fd (v3.13.0RC1)
Search for package or bug name: Reporting problems