External risk intelligence

gpsd NMEA2000 Packet Handling Heap Out-of-Bounds Write Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2025-67268

gpsd is a daemon designed to interface with local GPS hardware and provide data to local clients. It is typically deployed as a local service on embedded systems, Linux servers, or workstations to manage hardware-level positioning data, not as a public-facing network service or internet gateway.

Denial of Service

Gpsd Project Gpsd

before 3.27.1

Halo Surface Signal: 1 out of 5 — much less likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability in the gpsd software could allow an attacker to disrupt services or potentially execute malicious code by sending specially crafted data packets. This issue impacts systems that rely on gpsd for location data, and while typically a local service, its potential for broad impact warrants attention.

  • gpsd can be disrupted by malicious data.
  • Affects systems using gpsd for location services.
  • Confirm relevance and exposure to mitigate risk.

Attack Path

How an attacker could exploit the issue

An attacker can remotely trigger a vulnerability in the gpsd service by sending specially crafted NMEA2000 packets. The service, which processes GPS data, does not properly check the number of satellites reported in a specific packet type. This could lead to memory corruption, potentially allowing an attacker to disrupt the service or execute their own code.

  • No authentication or user interaction needed.
  • Triggered by malformed NMEA2000 packets.
  • Risk of denial-of-service or code execution.

Live Threat

Current exploitation, exposure, and threat context

When supported by the advisory, this vulnerability could allow an unauthenticated attacker to corrupt memory in the gpsd service by sending specially crafted NMEA2000 packets. This could lead to the service crashing or, under certain conditions, potentially allow the attacker to execute arbitrary code.

  • gpsd service memory.
  • Network-sent NMEA2000 packets.
  • Service instability or code execution.

Operational Fix

Recommended remediation, mitigation, and detection steps

The critical vulnerability in gpsd's NMEA2000 PGN 129540 handling impacts systems that process these specific GPS packets, potentially leading to memory corruption or code execution. System owners and platform teams are likely responsible for managing gpsd deployments. The first practical step involves identifying all instances of gpsd, determining their network exposure and business criticality, and then coordinating remediation with the accountable teams, which may involve vendor coordination or temporary risk reduction measures if immediate patching is not feasible.

  • Ownership: Platform and application owners.
  • Verify: Network reachability and asset criticality.
  • Action: Plan and execute risk-based remediation.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is the gpsd software used for?

gpsd is a specialized daemon that acts as a bridge between hardware GPS receivers and the applications that need location data. It translates raw signals from satellites into a format that Linux servers, embedded systems, and workstations can easily understand. By running in the background, it allows multiple local programs to access navigation information simultaneously from a single physical sensor.

How does this heap out-of-bounds write affect gpsd?

This vulnerability is a memory safety flaw classified as CWE-122. It happens when the software processes specific NMEA2000 packets without checking if the data fits into the memory reserved for it. Because the code trusts the satellite count provided in the packet, an attacker can overwrite adjacent memory, which might cause the service to crash or allow unauthorized control over the program's execution.

Does a standard GPS connection trigger this CVE-2025-67268 bug?

No, a standard GPS connection does not automatically trigger this. The flaw is specific to the handling of NMEA2000 PGN 129540 packets. The bug is triggered only when the software receives a packet claiming to have more satellites than the internal array can store. If your system does not process these specific NMEA2000 data types, it is not susceptible to this particular memory corruption path.

Is my system at risk according to Halo Surface Signal?

Halo Surface Signal notes that this is very unlikely to be a widespread internet-facing issue. gpsd is typically designed to function as a local service on embedded devices or servers, rather than as a gateway exposed to the public internet. You should focus your investigation on systems that have been deliberately configured to accept NMEA2000 input over a network rather than those using standard local serial hardware.

What is the recommended first step for administrators?

Begin by identifying all running instances of gpsd across your infrastructure. Determine which of these specific deployments are configured to process NMEA2000 data, as this is the only path that triggers the vulnerability. Once you have a clear inventory, prioritize those systems for updates or isolation, coordinating with the teams responsible for your GPS-reliant hardware and software platforms to ensure they are moved to a secure, patched version.

References