CVE-2026-8087

Source
https://cve.org/CVERecord?id=CVE-2026-8087
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-8087.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-8087
Aliases
Downstream
Related
Published
2026-05-07T19:00:15.040Z
Modified
2026-07-15T02:21:12.231815712Z
Severity
  • 1.9 (Low) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P CVSS Calculator
Summary
OSGeo gdal GDapi.c GDnentries heap-based overflow
Details

A security flaw has been discovered in OSGeo gdal up to 3.13.0dev-4. Impacted is the function GDnentries of the file frmts/hdf4/hdf-eos/GDapi.c. Performing a manipulation of the argument DataFieldName results in heap-based buffer overflow. The attack must be initiated from a local position. The exploit has been released to the public and may be used for attacks. Upgrading to version 3.13.0RC1 is recommended to address this issue. The patch is named 184f77dbcc74118c062c05e464c88161d3c37b9b. You should upgrade the affected component.

Database specific
{
    "cna_assigner": "VulDB",
    "unresolved_ranges": [
        {
            "source": "AFFECTED_FIELD",
            "extracted_events": [
                {
                    "introduced": "3.13.0dev-4"
                },
                {
                    "last_affected": "3.13.0dev-4"
                }
            ]
        }
    ],
    "cwe_ids": [
        "CWE-119",
        "CWE-122"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/8xxx/CVE-2026-8087.json"
}
References

Affected packages

Git / github.com/osgeo/gdal

Affected ranges

Type
GIT
Repo
https://github.com/osgeo/gdal
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
Introduced
Fixed
Database specific
{
    "source": [
        "CPE_RANGE",
        "CPE_STRING",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "3.12.4"
        },
        {
            "introduced": "3.13.0-beta1"
        },
        {
            "last_affected": "3.13.0-beta1"
        },
        {
            "introduced": "3.13.0-beta2"
        },
        {
            "last_affected": "3.13.0-beta2"
        }
    ],
    "cpe": [
        "cpe:2.3:a:osgeo:gdal:*:*:*:*:*:*:*:*",
        "cpe:2.3:a:osgeo:gdal:3.13.0:beta1:*:*:*:*:*:*",
        "cpe:2.3:a:osgeo:gdal:3.13.0:beta2:*:*:*:*:*:*"
    ]
}

Affected versions

2.*
2.4.4
3.*
3.0.3
3.13.0-beta1
3.13.0-beta2
v2.*
v2.3.0beta1
v2.4.0
v3.*
v3.1.0RC1
v3.11.0beta1
v3.12.0RC1
v3.12.0beta0
v3.12.0beta1
v3.12.0rc0
v3.12.1
v3.12.1RC1
v3.12.2
v3.12.2RC1
v3.12.3
v3.12.3RC1
v3.12.3RC2
v3.12.4
v3.12.4RC1
v3.13.0beta1
v3.3.0
v3.3.0RC1
v3.3.0beta1
v3.5.0RC1
v3.6.0RC1
v3.8.0RC1
v3.8.0beta1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-8087.json"