[From nobody Fri May  8 14:23:08 2026
Received: (at submit) by bugs.debian.org; 8 May 2026 13:08:14 +0000
X-Spam-Checker-Version: SpamAssassin 4.0.1-bugs.debian.org_2005_01_02
 (2024-03-25) on buxtehude.debian.org
X-Spam-Level: 
X-Spam-Status: No, score=-5.0 required=4.0 tests=BAYES_00,MD5_SHA1_SUM,
 SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no
 version=4.0.1-bugs.debian.org_2005_01_02
X-Spam-Bayes: score:0.0000 Tokens: new, 73; hammy, 149; neutral, 68; spammy,
 1. spammytokens:0.953-+--launched
 hammytokens:0.000-+--UD:security-tracker.debian.org,
 0.000-+--security-tracker.debian.org,
 0.000-+--securitytrackerdebianorg, 0.000-+--H*r:jmm, 0.000-+--sk:teamse
Return-path: &lt;jmm@inutil.org&gt;
Received: from inutil.org ([51.38.114.215]:43632 helo=vps-b7ad3695.vps.ovh.net)
 by buxtehude.debian.org with esmtp (Exim 4.96)
 (envelope-from &lt;jmm@inutil.org&gt;) id 1wLKw9-000jFw-20
 for submit@bugs.debian.org; Fri, 08 May 2026 13:08:14 +0000
Received: from soju.westfalen.local (p548dc5fc.dip0.t-ipconnect.de
 [84.141.197.252])
 by vps-b7ad3695.vps.ovh.net (Postfix) with ESMTPSA id 96C141F9
 for &lt;submit@bugs.debian.org&gt;; Fri,  8 May 2026 13:08:12 +0000 (UTC)
Received: from jmm by soju.westfalen.local with local (Exim 4.99.2)
 (envelope-from &lt;jmm@soju.westfalen.local&gt;) id 1wLKwA-00000006z67-1ASp
 for submit@bugs.debian.org; Fri, 08 May 2026 15:08:14 +0200
Date: Fri, 8 May 2026 15:08:14 +0200
To: submit@bugs.debian.org
Subject: gdal: CVE-2026-8084 CVE-2026-8086 CVE-2026-8087 CVE-2026-8088
Message-ID: &lt;af3gPk0SgDF6iFdG@pisco.westfalen.local&gt;
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
From: =?UTF-8?Q?Moritz_M=C3=BChlenhoff?= &lt;jmm@inutil.org&gt;
Delivered-To: submit@bugs.debian.org

Source: gdal
X-Debbugs-CC: team@security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerabilities were published for gdal.

CVE-2026-8084[0]:
| A vulnerability was determined in OSGeo gdal up to 3.13.0dev-4. This
| vulnerability affects the function memmove of the file
| frmts/hdf4/hdf-eos/SWapi.c of the component HDF-EOS Grid File
| Handler. This manipulation causes out-of-bounds read. The attack is
| restricted to local execution. The exploit has been publicly
| disclosed and may be utilized. Upgrading to version 3.13.0RC1 is
| able to resolve this issue. Patch name:
| a791f70f8eaec540974ec989ca6fb00266b7646c. Upgrading the affected
| component is advised.

https://github.com/OSGeo/gdal/issues/14378
https://github.com/OSGeo/gdal/commit/a791f70f8eaec540974ec989ca6fb00266b7646c (v3.13.0RC1)


CVE-2026-8086[1]:
| A vulnerability was identified in OSGeo gdal up to 3.13.0dev-4. This
| issue affects the function SWnentries of the file frmts/hdf4/hdf-
| eos/SWapi.c. Such manipulation of the argument DimensionName leads
| to heap-based buffer overflow. The attack must be carried out
| locally. The exploit is publicly available and might be used.
| Upgrading to version 3.12.4RC1 is capable of addressing this issue.
| The name of the patch is 9491e794f1757f08063ea2f7a274ad2994afa636.
| It is advisable to upgrade the affected component.

https://github.com/OSGeo/gdal/issues/14356
https://github.com/OSGeo/gdal/pull/14361
https://github.com/OSGeo/gdal/commit/9491e794f1757f08063ea2f7a274ad2994afa636 (v3.12.4RC1)


CVE-2026-8087[2]:
| A security flaw has been discovered in OSGeo gdal up to 3.13.0dev-4.
| Impacted is the function GDnentries of the file frmts/hdf4/hdf-
| eos/GDapi.c. Performing a manipulation of the argument DataFieldName
| results in heap-based buffer overflow. The attack must be initiated
| from a local position. The exploit has been released to the public
| and may be used for attacks. Upgrading to version 3.13.0RC1 is
| recommended to address this issue. The patch is named
| 184f77dbcc74118c062c05e464c88161d3c37b9b. You should upgrade the
| affected component.

https://github.com/OSGeo/gdal/issues/14363
https://github.com/OSGeo/gdal/commit/184f77dbcc74118c062c05e464c88161d3c37b9b (v3.13.0RC1)


CVE-2026-8088[3]:
| A weakness has been identified in OSGeo gdal up to 3.13.0dev-4. The
| affected element is the function GDfieldinfo of the file
| frmts/hdf4/hdf-eos/GDapi.c. Executing a manipulation can lead to
| out-of-bounds read. The attack needs to be launched locally. The
| exploit has been made available to the public and could be used for
| attacks. Upgrading to version 3.13.0RC1 is sufficient to fix this
| issue. This patch is called
| a791f70f8eaec540974ec989ca6fb00266b7646c. The affected component
| should be upgraded.

https://github.com/OSGeo/gdal/commit/a791f70f8eaec540974ec989ca6fb00266b7646c (v3.13.0RC1)
https://github.com/OSGeo/gdal/issues/14379


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities &amp; Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-8084
    https://www.cve.org/CVERecord?id=CVE-2026-8084
[1] https://security-tracker.debian.org/tracker/CVE-2026-8086
    https://www.cve.org/CVERecord?id=CVE-2026-8086
[2] https://security-tracker.debian.org/tracker/CVE-2026-8087
    https://www.cve.org/CVERecord?id=CVE-2026-8087
[3] https://security-tracker.debian.org/tracker/CVE-2026-8088
    https://www.cve.org/CVERecord?id=CVE-2026-8088

Please adjust the affected versions in the BTS as needed.
]