CVE-2025-67269 — Vulnetix

CVE-2025-67269 PUBLISHED CVSS 7.5 HIGH

An integer underflow vulnerability exists in the `nextstate()` function in `gpsd/packet.c` of gpsd versions prior to commit `ffa1d6f40bca0b035fc7f5e563160ebb67199da7`. When parsing a NAVCOM packet, the payload length is calculated using `lexer->length = (size_t)c - 4` without checking if the input byte `c` is less than 4. This results in an unsigned integer underflow, setting `lexer->length` to a very large value (near `SIZE_MAX`). The parser then enters a loop attempting to consume this massive number of bytes, causing 100% CPU utilization and a Denial of Service (DoS) condition.

EPSS 0.18% · 39.2th percentile

Risk Scores

CVSS 3.1

7.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score

0.18%

39.2th percentile

Affected Products

Vendor	Product	Versions
n/a	n/a	n/a
gpsd_project	gpsd	0

Exploit Intelligence

CIRCL seen: CVE-2025-67269 (circl-sighting)
https://gitlab.com/gpsd/gpsd/-/commit/ffa1d6f40bca0b035fc7f5e563160ebb67199da7 (circl)
https://gitlab.com/gpsd/gpsd (circl)
https://github.com/Jaenact/gspd_cve/blob/main/CVE-2025-67269/README.md (nist-nvd)

Timeline

Dec 8, 2025 CVE ID Reserved
Jan 2, 2026 CVE Published
Jan 3, 2026 EPSS Score
Jan 6, 2026 EPSS Score
Jan 6, 2026 CVE Updated
Jan 7, 2026 PoC Published
Jan 10, 2026 EPSS Score
Jan 13, 2026 EPSS Score
Jan 16, 2026 EPSS Score
Jan 20, 2026 EPSS Score
Jan 23, 2026 EPSS Score
Jan 26, 2026 EPSS Score

References

Open in Interactive Console →