CVE-2026-8213 | THREATINT

Description

A vulnerability has been found in OSGeo gdal up to 3.13.0dev-4. Affected by this issue is the function GDSDfldsrch of the file frmts/hdf4/hdf-eos/GDapi.c of the component Grid File Handler. The manipulation leads to heap-based buffer overflow. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. Upgrading to version 3.13.0RC1 can resolve this issue. The identifier of the patch is 3e04c0385630e4d42517046d9a4967dfccfeb7fd. It is suggested to upgrade the affected component.

PUBLISHED Reserved 2026-05-09 | Published 2026-05-09 | Updated 2026-05-09 | Assigner VulDB

MEDIUM: 4.8CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

MEDIUM: 5.3CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C

MEDIUM: 5.3CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C

4.3AV:L/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C

Problem types

Heap-based Buffer Overflow

Memory Corruption

Product status

3.13.0dev-4
affected

3.13.0RC1
unaffected

Timeline

Credits

biniam (VulDB User) reporter

References

vuldb.com/vuln/362430 (VDB-362430 | OSGeo gdal Grid File GDapi.c GDSDfldsrch heap-based overflow) vdb-entry technical-description

vuldb.com/vuln/362430/cti (VDB-362430 | CTI Indicators (IOB, IOC, IOA)) signature permissions-required

vuldb.com/submit/808128 (Submit #808128 | OSGeo GDAL 3.13.0dev Out-of-Bounds Read) third-party-advisory

github.com/OSGeo/gdal/issues/14399 issue-tracking

github.com/biniamf/pocs/tree/main/gdal-gdsdfldsrch_oob-read exploit

github.com/…ommit/3e04c0385630e4d42517046d9a4967dfccfeb7fd patch

github.com/OSGeo/gdal/releases/tag/v3.13.0RC1 patch

github.com/OSGeo/gdal/ product

cve.org (CVE-2026-8213)

nvd.nist.gov (CVE-2026-8213)

Download JSON