CVE-2026-8087
published 2026-05-07CVE-2026-8087: A security flaw has been discovered in OSGeo gdal up to 3.13.0dev-4. Impacted is the function GDnentries of the file frmts/hdf4/hdf-eos/GDapi.c. Performing a…
PriorityP348high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
EPSS
0.22%
12.8th percentile
A security flaw has been discovered in OSGeo gdal up to 3.13.0dev-4. Impacted is the function GDnentries of the file frmts/hdf4/hdf-eos/GDapi.c. Performing a manipulation of the argument DataFieldName results in heap-based buffer overflow. The attack must be initiated from a local position. The exploit has been released to the public and may be used for attacks. Upgrading to version 3.13.0RC1 is recommended to address this issue. The patch is named 184f77dbcc74118c062c05e464c88161d3c37b9b. You should upgrade the affected component.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| osgeo | gdal | <= 3.12.4 | — |
| osgeo | gdal | — | — |
| osgeo | gdal | — | — |
| osgeo | gdal | >= 0 < 3.13.0 | 3.13.0 |
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.01.9LOWCVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.04.3MEDIUMAV:L/AC:L/Au:S/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
OSGeo gdal up to 3.13.0dev-4 GDapi.c GDnentries DataFieldName heap-based overflow (EUVD-2026-28435)
vuldb·2026-05-08·CVSS 1.9
CVE-2026-8087 [LOW] OSGeo gdal up to 3.13.0dev-4 GDapi.c GDnentries DataFieldName heap-based overflow (EUVD-2026-28435)
A vulnerability identified as critical has been detected in OSGeo gdal up to 3.13.0dev-4. Impacted is the function GDnentries of the file frmts/hdf4/hdf-eos/GDapi.c. Performing a manipulation of the argument DataFieldName results in heap-based buffer overflow.
This vulnerability is cataloged as CVE-2026-8087. The attack must be initiated from a local position. Furthermore, there is an exploit available.
You should upgrade the affected component.
GHSA
OSGeo GDAL vulnerable to heap-based buffer overflow
ghsa·2026-05-07
CVE-2026-8087 [LOW] CWE-119 OSGeo GDAL vulnerable to heap-based buffer overflow
OSGeo GDAL vulnerable to heap-based buffer overflow
A security flaw has been discovered in OSGeo gdal up to 3.13.0dev-4. Impacted is the function GDnentries of the file frmts/hdf4/hdf-eos/GDapi.c. Performing a manipulation of the argument DataFieldName results in heap-based buffer overflow. The attack must be initiated from a local position. The exploit has been released to the public and may be used for attacks. Upgrading to version 3.13.0RC1 is recommended to address this issue. The patch is named 184f77dbcc74118c062c05e464c88161d3c37b9b. You should upgrade the affected component.
GHSA
GHSA-h9rh-5ffh-h669: A security flaw has been discovered in OSGeo gdal up to 3
ghsa_unreviewed·2026-05-07
CVE-2026-8087 [LOW] CWE-119 GHSA-h9rh-5ffh-h669: A security flaw has been discovered in OSGeo gdal up to 3
A security flaw has been discovered in OSGeo gdal up to 3.13.0dev-4. Impacted is the function GDnentries of the file frmts/hdf4/hdf-eos/GDapi.c. Performing a manipulation of the argument DataFieldName results in heap-based buffer overflow. The attack must be initiated from a local position. The exploit has been released to the public and may be used for attacks. Upgrading to version 3.13.0RC1 is recommended to address this issue. The patch is named 184f77dbcc74118c062c05e464c88161d3c37b9b. You should upgrade the affected component.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/OSGeo/gdal/https://github.com/OSGeo/gdal/commit/184f77dbcc74118c062c05e464c88161d3c37b9bhttps://github.com/OSGeo/gdal/issues/14363https://github.com/OSGeo/gdal/releases/tag/v3.13.0RC1https://github.com/biniamf/pocs/tree/main/gdal-gdinqfields_bofhttps://vuldb.com/submit/808039https://vuldb.com/vuln/361840https://vuldb.com/vuln/361840/cti
2026-05-07
Published