CVE-2026-8088
published 2026-05-07CVE-2026-8088: A weakness has been identified in OSGeo gdal up to 3.13.0dev-4. The affected element is the function GDfieldinfo of the file frmts/hdf4/hdf-eos/GDapi.c…
PriorityP425medium5.5CVSS 3.1
AVLACLPRLUINSUCNINAH
EPSS
0.25%
15.7th percentile
A weakness has been identified in OSGeo gdal up to 3.13.0dev-4. The affected element is the function GDfieldinfo of the file frmts/hdf4/hdf-eos/GDapi.c. Executing a manipulation can lead to out-of-bounds read. The attack needs to be launched locally. The exploit has been made available to the public and could be used for attacks. Upgrading to version 3.13.0RC1 is sufficient to fix this issue. This patch is called a791f70f8eaec540974ec989ca6fb00266b7646c. The affected component should be upgraded.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| osgeo | gdal | <= 3.12.4 | — |
| osgeo | gdal | — | — |
| osgeo | gdal | — | — |
| osgeo | gdal | >= 0 < 3.13.0 | 3.13.0 |
CVSS provenance
nvdv3.15.5MEDIUMCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
nvdv4.01.9LOWCVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.01.7LOWAV:L/AC:L/Au:S/C:N/I:N/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
OSGeo gdal up to 3.13.0dev-4 GDapi.c GDfieldinfo out-of-bounds (Issue 14379 / EUVD-2026-28436)
vuldb·2026-05-08·CVSS 1.9
CVE-2026-8088 [LOW] OSGeo gdal up to 3.13.0dev-4 GDapi.c GDfieldinfo out-of-bounds (Issue 14379 / EUVD-2026-28436)
A vulnerability labeled as problematic has been found in OSGeo gdal up to 3.13.0dev-4. The affected element is the function GDfieldinfo of the file frmts/hdf4/hdf-eos/GDapi.c. Executing a manipulation can lead to out-of-bounds read.
This vulnerability is registered as CVE-2026-8088. The attack needs to be launched locally. Furthermore, an exploit is available.
The affected component should be upgraded.
GHSA
OSGeo GDAL vulnerable to out-of-bounds read
ghsa·2026-05-07
CVE-2026-8088 [LOW] CWE-119 OSGeo GDAL vulnerable to out-of-bounds read
OSGeo GDAL vulnerable to out-of-bounds read
A weakness has been identified in OSGeo gdal up to 3.13.0dev-4. The affected element is the function GDfieldinfo of the file frmts/hdf4/hdf-eos/GDapi.c. Executing a manipulation can lead to out-of-bounds read. The attack needs to be launched locally. The exploit has been made available to the public and could be used for attacks. Upgrading to version 3.13.0RC1 is sufficient to fix this issue. This patch is called a791f70f8eaec540974ec989ca6fb00266b7646c. The affected component should be upgraded.
GHSA
GHSA-j3f5-rw74-g4rv: A weakness has been identified in OSGeo gdal up to 3
ghsa_unreviewed·2026-05-07
CVE-2026-8088 [LOW] CWE-119 GHSA-j3f5-rw74-g4rv: A weakness has been identified in OSGeo gdal up to 3
A weakness has been identified in OSGeo gdal up to 3.13.0dev-4. The affected element is the function GDfieldinfo of the file frmts/hdf4/hdf-eos/GDapi.c. Executing a manipulation can lead to out-of-bounds read. The attack needs to be launched locally. The exploit has been made available to the public and could be used for attacks. Upgrading to version 3.13.0RC1 is sufficient to fix this issue. This patch is called a791f70f8eaec540974ec989ca6fb00266b7646c. The affected component should be upgraded.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/OSGeo/gdal/https://github.com/OSGeo/gdal/commit/a791f70f8eaec540974ec989ca6fb00266b7646chttps://github.com/OSGeo/gdal/issues/14379https://github.com/OSGeo/gdal/releases/tag/v3.13.0RC1https://github.com/biniamf/pocs/tree/main/gdal-gdapi-gdfinfo-dimlist-oob-readhttps://vuldb.com/submit/808040https://vuldb.com/vuln/361841https://vuldb.com/vuln/361841/cti
2026-05-07
Published