Bug#1135997: gdal: CVE-2026-8084 CVE-2026-8086 CVE-2026-8087 CVE-2026-8088

Fri May 8 14:08:14 BST 2026

Source: gdal
X-Debbugs-CC: team at security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerabilities were published for gdal.

CVE-2026-8084[0]:
| A vulnerability was determined in OSGeo gdal up to 3.13.0dev-4. This
| vulnerability affects the function memmove of the file
| frmts/hdf4/hdf-eos/SWapi.c of the component HDF-EOS Grid File
| Handler. This manipulation causes out-of-bounds read. The attack is
| restricted to local execution. The exploit has been publicly
| disclosed and may be utilized. Upgrading to version 3.13.0RC1 is
| able to resolve this issue. Patch name:
| a791f70f8eaec540974ec989ca6fb00266b7646c. Upgrading the affected
| component is advised.

https://github.com/OSGeo/gdal/issues/14378
https://github.com/OSGeo/gdal/commit/a791f70f8eaec540974ec989ca6fb00266b7646c (v3.13.0RC1)

CVE-2026-8086[1]:
| A vulnerability was identified in OSGeo gdal up to 3.13.0dev-4. This
| issue affects the function SWnentries of the file frmts/hdf4/hdf-
| eos/SWapi.c. Such manipulation of the argument DimensionName leads
| to heap-based buffer overflow. The attack must be carried out
| locally. The exploit is publicly available and might be used.
| Upgrading to version 3.12.4RC1 is capable of addressing this issue.
| The name of the patch is 9491e794f1757f08063ea2f7a274ad2994afa636.
| It is advisable to upgrade the affected component.

https://github.com/OSGeo/gdal/issues/14356
https://github.com/OSGeo/gdal/pull/14361
https://github.com/OSGeo/gdal/commit/9491e794f1757f08063ea2f7a274ad2994afa636 (v3.12.4RC1)

CVE-2026-8087[2]:
| A security flaw has been discovered in OSGeo gdal up to 3.13.0dev-4.
| Impacted is the function GDnentries of the file frmts/hdf4/hdf-
| eos/GDapi.c. Performing a manipulation of the argument DataFieldName
| results in heap-based buffer overflow. The attack must be initiated
| from a local position. The exploit has been released to the public
| and may be used for attacks. Upgrading to version 3.13.0RC1 is
| recommended to address this issue. The patch is named
| 184f77dbcc74118c062c05e464c88161d3c37b9b. You should upgrade the
| affected component.

https://github.com/OSGeo/gdal/issues/14363
https://github.com/OSGeo/gdal/commit/184f77dbcc74118c062c05e464c88161d3c37b9b (v3.13.0RC1)

CVE-2026-8088[3]:
| A weakness has been identified in OSGeo gdal up to 3.13.0dev-4. The
| affected element is the function GDfieldinfo of the file
| frmts/hdf4/hdf-eos/GDapi.c. Executing a manipulation can lead to
| out-of-bounds read. The attack needs to be launched locally. The
| exploit has been made available to the public and could be used for
| attacks. Upgrading to version 3.13.0RC1 is sufficient to fix this
| issue. This patch is called
| a791f70f8eaec540974ec989ca6fb00266b7646c. The affected component
| should be upgraded.

https://github.com/OSGeo/gdal/commit/a791f70f8eaec540974ec989ca6fb00266b7646c (v3.13.0RC1)
https://github.com/OSGeo/gdal/issues/14379

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-8084
    https://www.cve.org/CVERecord?id=CVE-2026-8084
[1] https://security-tracker.debian.org/tracker/CVE-2026-8086
    https://www.cve.org/CVERecord?id=CVE-2026-8086
[2] https://security-tracker.debian.org/tracker/CVE-2026-8087
    https://www.cve.org/CVERecord?id=CVE-2026-8087
[3] https://security-tracker.debian.org/tracker/CVE-2026-8088
    https://www.cve.org/CVERecord?id=CVE-2026-8088

Please adjust the affected versions in the BTS as needed.