{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33147", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T21:17:08.884Z", "datePublished": "2026-03-20T20:10:28.066Z", "dateUpdated": "2026-03-25T13:56:20.930Z"}, "containers": {"cna": {"title": "GMT: Stack-based Buffer Overflow in gmt_remote_dataset_id", "problemTypes": [{"descriptions": [{"cweId": "CWE-121", "lang": "en", "description": "CWE-121: Stack-based Buffer Overflow", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/GenericMappingTools/gmt/security/advisories/GHSA-fqxx-62x7-9gwg", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/GenericMappingTools/gmt/security/advisories/GHSA-fqxx-62x7-9gwg"}, {"name": "https://github.com/GenericMappingTools/gmt/commit/0ad2b491470df82c9ec1139dcbd70502fa28a082", "tags": ["x_refsource_MISC"], "url": "https://github.com/GenericMappingTools/gmt/commit/0ad2b491470df82c9ec1139dcbd70502fa28a082"}], "affected": [{"vendor": "GenericMappingTools", "product": "gmt", "versions": [{"version": "<= 6.6.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T20:10:28.066Z"}, "descriptions": [{"lang": "en", "value": "GMT is an open source collection of command-line tools for manipulating geographic and Cartesian data sets. In versions from 6.6.0 and prior, a stack-based buffer overflow vulnerability was identified in the gmt_remote_dataset_id function within src/gmt_remote.c. This issue occurs when a specially crafted long string is passed as a dataset identifier (e.g., via the which module), leading to a crash or potential arbitrary code execution. This issue has been patched via commit 0ad2b49."}], "source": {"advisory": "GHSA-fqxx-62x7-9gwg", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/GenericMappingTools/gmt/security/advisories/GHSA-fqxx-62x7-9gwg", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-25T13:56:17.341958Z", "id": "CVE-2026-33147", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T13:56:20.930Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33147", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-25T13:56:17.341958Z"}}}], "references": [{"url": "https://github.com/GenericMappingTools/gmt/security/advisories/GHSA-fqxx-62x7-9gwg", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T13:56:12.581Z"}}], "cna": {"title": "GMT: Stack-based Buffer Overflow in gmt_remote_dataset_id", "source": {"advisory": "GHSA-fqxx-62x7-9gwg", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "GenericMappingTools", "product": "gmt", "versions": [{"status": "affected", "version": "<= 6.6.0"}]}], "references": [{"url": "https://github.com/GenericMappingTools/gmt/security/advisories/GHSA-fqxx-62x7-9gwg", "name": "https://github.com/GenericMappingTools/gmt/security/advisories/GHSA-fqxx-62x7-9gwg", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/GenericMappingTools/gmt/commit/0ad2b491470df82c9ec1139dcbd70502fa28a082", "name": "https://github.com/GenericMappingTools/gmt/commit/0ad2b491470df82c9ec1139dcbd70502fa28a082", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "GMT is an open source collection of command-line tools for manipulating geographic and Cartesian data sets. In versions from 6.6.0 and prior, a stack-based buffer overflow vulnerability was identified in the gmt_remote_dataset_id function within src/gmt_remote.c. This issue occurs when a specially crafted long string is passed as a dataset identifier (e.g., via the which module), leading to a crash or potential arbitrary code execution. This issue has been patched via commit 0ad2b49."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-121", "description": "CWE-121: Stack-based Buffer Overflow"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T20:10:28.066Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33147", "state": "PUBLISHED", "dateUpdated": "2026-03-25T13:56:20.930Z", "dateReserved": "2026-03-17T21:17:08.884Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-20T20:10:28.066Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:generic-mapping-tools:gmt:*:*:*:*:*:*:*:*", "matchCriteriaId": "D97E9703-6269-40B4-ACBF-EF3D93E0D545", "versionEndIncluding": "6.6.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "GMT is an open source collection of command-line tools for manipulating geographic and Cartesian data sets. In versions from 6.6.0 and prior, a stack-based buffer overflow vulnerability was identified in the gmt_remote_dataset_id function within src/gmt_remote.c. This issue occurs when a specially crafted long string is passed as a dataset identifier (e.g., via the which module), leading to a crash or potential arbitrary code execution. This issue has been patched via commit 0ad2b49."}, {"lang": "es", "value": "GMT es una colecci\u00f3n de c\u00f3digo abierto de herramientas de l\u00ednea de comandos para manipular conjuntos de datos geogr\u00e1ficos y cartesianos. En versiones desde la 6.6.0 y anteriores, se identific\u00f3 una vulnerabilidad de desbordamiento de b\u00fafer basado en pila en la funci\u00f3n gmt_remote_dataset_id dentro de src/gmt_remote.c. Este problema ocurre cuando una cadena larga especialmente dise\u00f1ada se pasa como un identificador de conjunto de datos (p. ej., a trav\u00e9s del m\u00f3dulo which), lo que lleva a un fallo o a una potencial ejecuci\u00f3n de c\u00f3digo arbitrario. Este problema ha sido parcheado mediante el commit 0ad2b49."}], "id": "CVE-2026-33147", "lastModified": "2026-03-27T21:07:19.390", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H", "version": "3.1"}, "exploitabilityScore": 2.5, "impactScore": 4.7, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-20T21:17:15.243", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/GenericMappingTools/gmt/commit/0ad2b491470df82c9ec1139dcbd70502fa28a082"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/GenericMappingTools/gmt/security/advisories/GHSA-fqxx-62x7-9gwg"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/GenericMappingTools/gmt/security/advisories/GHSA-fqxx-62x7-9gwg"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-121"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,6.6.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "gmt", "source": "cna", "vendor": "GenericMappingTools"}, "product": "gmt", "vendor": "genericmappingtools"}], "analysis": {"en": {"generated_at": "2026-03-28T05:22:19.138872+00:00", "value": {"mitigation_remediation": ["Update GMT to a patched release that implements commit 0ad2b49 or later.", "If an upgrade is not immediately possible, ensure that any dataset identifier passed to gmt_remote_dataset_id is validated or sanitized to prevent excessively long strings from being accepted.", "Monitor system logs for unexpected crashes or signs of stack corruption that might indicate exploitation attempts."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the GenericMappingTools GMT command\u2011line suite. All releases up to and including version\u202f6.6.0 are impacted. Systems that run these older GMT binaries and process dataset identifiers derived from external input are susceptible.", "description_and_impact": "GMT versions 6.6.0 and earlier have a stack-based buffer overflow in the gmt_remote_dataset_id function in src/gmt_remote.c. An attacker who supplies an unusually long dataset identifier string\u2014such as via the which module\u2014can trigger the overflow, potentially corrupting the stack and leading to a crash or arbitrary code execution. This weakness is classified as CWE-121, indicating improper buffer bounds handling.", "risk_and_exploitability": "The CVSS score of 7.3 indicates high severity, while the EPSS score of less than 1% suggests a low probability of exploitation at present. The issue is not listed in CISA\u2019s KEV catalog. Based on the description, the attack vector is inferred to be local, requiring the attacker to execute GMT with crafted input or have some form of local or privileged access to trigger the overflow."}}}}, "created": "2026-03-23T09:52:46.387030+00:00", "updated": "2026-03-29T20:28:55.052422+00:00", "vendors": ["genericmappingtools", "genericmappingtools$PRODUCT$gmt"]}