Home

Description

A weakness has been identified in OSGeo gdal up to 3.13.0dev-4. The affected element is the function GDfieldinfo of the file frmts/hdf4/hdf-eos/GDapi.c. Executing a manipulation can lead to out-of-bounds read. The attack needs to be launched locally. The exploit has been made available to the public and could be used for attacks. Upgrading to version 3.13.0RC1 is sufficient to fix this issue. This patch is called a791f70f8eaec540974ec989ca6fb00266b7646c. The affected component should be upgraded.

PUBLISHED Reserved 2026-05-07 | Published 2026-05-07 | Updated 2026-05-08 | Assigner VulDB




MEDIUM: 4.8CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P
LOW: 3.3CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C
LOW: 3.3CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C
1.7AV:L/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C

Problem types

Out-of-Bounds Read

Memory Corruption

Product status

3.13.0dev-4
affected

3.13.0RC1
unaffected

Timeline

2026-05-07:Advisory disclosed
2026-05-07:VulDB entry created
2026-05-07:VulDB entry last update

Credits

biniam (VulDB User) reporter

References

vuldb.com/vuln/361841 (VDB-361841 | OSGeo gdal GDapi.c GDfieldinfo out-of-bounds) vdb-entry technical-description

vuldb.com/vuln/361841/cti (VDB-361841 | CTI Indicators (IOB, IOC, IOA)) signature permissions-required

vuldb.com/submit/808040 (Submit #808040 | OSGeo GDAL 3.13.0dev Out-of-Bounds Read) third-party-advisory

github.com/OSGeo/gdal/issues/14379 issue-tracking

github.com/.../tree/main/gdal-gdapi-gdfinfo-dimlist-oob-read exploit

github.com/...ommit/a791f70f8eaec540974ec989ca6fb00266b7646c patch

github.com/OSGeo/gdal/releases/tag/v3.13.0RC1 patch

github.com/OSGeo/gdal/ product

cve.org (CVE-2026-8088)

nvd.nist.gov (CVE-2026-8088)

Download JSON