CVE-2026-49014

Severity CVSS v4.0:
Pending analysis
Type:
CWE-121 Stack-based Buffer Overflow
Publication date:
27/05/2026
Last modified:
04/06/2026

Description

In GDAL 3.1.0 through 3.13.0, scanForGeometryContainers in the netCDF driver allows code execution via a stack-based buffer overflow. It reads a geometry attribute into a fixed-size stack buffer without validating the attribute length. The attacker embeds the exploit as an oversized geometry attribute in a crafted NetCDF file. This achieves arbitrary code execution on the server running GDAL. This is in frmts/netcdf/netcdfsg.cpp.

Vulnerable products and versions

CPE From Up to
cpe:2.3:a:osgeo:gdal:*:*:*:*:*:*:*:* 3.1.0 (including) 3.13.0 (including)