CVE-2026-8084

CVE-2026-8084

Name

CVE-2026-8084

Description

A vulnerability was determined in OSGeo gdal up to 3.13.0dev-4. This vulnerability affects the function memmove of the file frmts/hdf4/hdf-eos/SWapi.c of the component HDF-EOS Grid File Handler. This manipulation causes out-of-bounds read. The attack is restricted to local execution. The exploit has been publicly disclosed and may be utilized. Upgrading to version 3.13.0RC1 is able to resolve this issue. Patch name: a791f70f8eaec540974ec989ca6fb00266b7646c. Upgrading the affected component is advised.

NVD Severity

unknown

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
Product	https://github.com/OSGeo/gdal/
Patch	https://github.com/OSGeo/gdal/commit/a791f70f8eaec540974ec989ca6fb00266b7646c
Exploit	https://github.com/OSGeo/gdal/issues/14378
Release Notes	https://github.com/OSGeo/gdal/releases/tag/v3.13.0RC1
Third Party Advisory	https://github.com/biniamf/pocs/blob/main/gdal_swfinfo_dimlist_oob-rw
Exploit	https://github.com/biniamf/pocs/tree/main/gdal_swfinfo_dimlist_oob-rw
Exploit	https://vuldb.com/submit/808034
Third Party Advisory	https://vuldb.com/vuln/361838
Permissions Required	https://vuldb.com/vuln/361838/cti

Type

URI

Product

https://github.com/OSGeo/gdal/

Patch

https://github.com/OSGeo/gdal/commit/a791f70f8eaec540974ec989ca6fb00266b7646c

Exploit

https://github.com/OSGeo/gdal/issues/14378

Release Notes

https://github.com/OSGeo/gdal/releases/tag/v3.13.0RC1

Third Party Advisory

https://github.com/biniamf/pocs/blob/main/gdal_swfinfo_dimlist_oob-rw

Exploit

https://github.com/biniamf/pocs/tree/main/gdal_swfinfo_dimlist_oob-rw

Exploit

https://vuldb.com/submit/808034

Third Party Advisory

https://vuldb.com/vuln/361838

Permissions Required

https://vuldb.com/vuln/361838/cti

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:osgeo:gdal::::::::`	gdal	>= None	<= 3.12.4
`cpe:2.3:a:osgeo:gdal:3.13.0:beta1::::::`	gdal	== None	== 3.13.0

CPE URI

Source package

Min version

Max version

cpe:2.3:a:osgeo:gdal:*:*:*:*:*:*:*:*

gdal

>= None

<= 3.12.4

cpe:2.3:a:osgeo:gdal:3.13.0:beta1:*:*:*:*:*:*

gdal

== None

== 3.13.0

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
gdal	edge-community	3.13.0-r1	Holger Jaekel <holger.jaekel@gmx.de>	possibly vulnerable
gdal	edge-community	3.13.0-r0	Holger Jaekel <holger.jaekel@gmx.de>	possibly vulnerable
gdal	edge-community	3.12.4-r0	Holger Jaekel <holger.jaekel@gmx.de>	possibly vulnerable
gdal	edge-community	3.12.3-r4	Holger Jaekel <holger.jaekel@gmx.de>	possibly vulnerable
gdal	edge-community	3.12.3-r3	Holger Jaekel <holger.jaekel@gmx.de>	possibly vulnerable
gdal	edge-community	3.12.3-r2	Holger Jaekel <holger.jaekel@gmx.de>	possibly vulnerable
gdal	edge-community	3.12.3-r1	Holger Jaekel <holger.jaekel@gmx.de>	possibly vulnerable
gdal	edge-community	3.12.3-r0	Holger Jaekel <holger.jaekel@gmx.de>	possibly vulnerable
gdal	edge-community	3.12.2-r3	Holger Jaekel <holger.jaekel@gmx.de>	possibly vulnerable
gdal	edge-community	3.12.2-r1	Holger Jaekel <holger.jaekel@gmx.de>	possibly vulnerable
gdal	edge-community	3.12.2-r0	Holger Jaekel <holger.jaekel@gmx.de>	possibly vulnerable
gdal	edge-community	3.12.1-r3	Holger Jaekel <holger.jaekel@gmx.de>	possibly vulnerable
gdal	edge-community	3.12.1-r2	Holger Jaekel <holger.jaekel@gmx.de>	possibly vulnerable
gdal	edge-community	3.12.1-r1	Holger Jaekel <holger.jaekel@gmx.de>	possibly vulnerable
gdal	edge-community	3.12.1-r0	Holger Jaekel <holger.jaekel@gmx.de>	possibly vulnerable
gdal	edge-community	3.12.0-r0	Holger Jaekel <holger.jaekel@gmx.de>	possibly vulnerable
gdal	edge-community	3.11.5-r2	Holger Jaekel <holger.jaekel@gmx.de>	possibly vulnerable
gdal	edge-community	3.11.5-r1	Holger Jaekel <holger.jaekel@gmx.de>	possibly vulnerable
gdal	edge-community	3.11.5-r0	Holger Jaekel <holger.jaekel@gmx.de>	possibly vulnerable
gdal	edge-community	3.11.4-r6	Holger Jaekel <holger.jaekel@gmx.de>	possibly vulnerable
gdal	edge-community	3.11.4-r5	Holger Jaekel <holger.jaekel@gmx.de>	possibly vulnerable
gdal	edge-community	3.11.4-r4	Holger Jaekel <holger.jaekel@gmx.de>	possibly vulnerable
gdal	edge-community	3.11.4-r3	Holger Jaekel <holger.jaekel@gmx.de>	possibly vulnerable
gdal	edge-community	3.11.4-r2	Holger Jaekel <holger.jaekel@gmx.de>	possibly vulnerable
gdal	edge-community	3.11.4-r1	Holger Jaekel <holger.jaekel@gmx.de>	possibly vulnerable
gdal	edge-community	3.11.4-r0	Holger Jaekel <holger.jaekel@gmx.de>	possibly vulnerable
gdal	edge-community	3.11.3-r4	Holger Jaekel <holger.jaekel@gmx.de>	possibly vulnerable
gdal	edge-community	3.11.3-r3	Holger Jaekel <holger.jaekel@gmx.de>	possibly vulnerable
gdal	edge-community	3.11.3-r2	Holger Jaekel <holger.jaekel@gmx.de>	possibly vulnerable
gdal	edge-community	3.11.3-r1	Holger Jaekel <holger.jaekel@gmx.de>	possibly vulnerable
gdal	edge-community	3.11.3-r0	Holger Jaekel <holger.jaekel@gmx.de>	possibly vulnerable
gdal	edge-community	3.11.1-r1	Holger Jaekel <holger.jaekel@gmx.de>	possibly vulnerable
gdal	edge-community	3.11.1-r0	Holger Jaekel <holger.jaekel@gmx.de>	possibly vulnerable
gdal	edge-community	3.11.0-r4	Holger Jaekel <holger.jaekel@gmx.de>	possibly vulnerable
gdal	edge-community	3.11.0-r3	Holger Jaekel <holger.jaekel@gmx.de>	possibly vulnerable
gdal	edge-community	3.11.0-r2	Holger Jaekel <holger.jaekel@gmx.de>	possibly vulnerable
gdal	edge-community	3.11.0-r0	Holger Jaekel <holger.jaekel@gmx.de>	possibly vulnerable
gdal	edge-community	3.10.3-r1	Holger Jaekel <holger.jaekel@gmx.de>	possibly vulnerable
gdal	edge-community	3.10.3-r0	Holger Jaekel <holger.jaekel@gmx.de>	possibly vulnerable
gdal	edge-community	3.10.2-r2	Holger Jaekel <holger.jaekel@gmx.de>	possibly vulnerable
gdal	edge-community	3.10.2-r1	Holger Jaekel <holger.jaekel@gmx.de>	possibly vulnerable
gdal	edge-community	3.10.2-r0	Holger Jaekel <holger.jaekel@gmx.de>	possibly vulnerable
gdal	edge-community	3.10.1-r3	Holger Jaekel <holger.jaekel@gmx.de>	possibly vulnerable
gdal	edge-community	3.10.1-r2	Holger Jaekel <holger.jaekel@gmx.de>	possibly vulnerable
gdal	edge-community	3.10.1-r1	Holger Jaekel <holger.jaekel@gmx.de>	possibly vulnerable
gdal	edge-community	3.10.1-r0	Holger Jaekel <holger.jaekel@gmx.de>	possibly vulnerable
gdal	edge-community	3.10.0-r7	Holger Jaekel <holger.jaekel@gmx.de>	possibly vulnerable
gdal	3.23-community	3.11.5-r2	Holger Jaekel <holger.jaekel@gmx.de>	possibly vulnerable

Source package

Branch

Version

Maintainer

Status

References

Match rules

Vulnerable and fixed packages