{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33147", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T21:17:08.884Z", "datePublished": "2026-03-20T20:10:28.066Z", "dateUpdated": "2026-03-25T13:56:20.930Z"}, "containers": {"cna": {"title": "GMT: Stack-based Buffer Overflow in gmt_remote_dataset_id", "problemTypes": [{"descriptions": [{"cweId": "CWE-121", "lang": "en", "description": "CWE-121: Stack-based Buffer Overflow", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/GenericMappingTools/gmt/security/advisories/GHSA-fqxx-62x7-9gwg", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/GenericMappingTools/gmt/security/advisories/GHSA-fqxx-62x7-9gwg"}, {"name": "https://github.com/GenericMappingTools/gmt/commit/0ad2b491470df82c9ec1139dcbd70502fa28a082", "tags": ["x_refsource_MISC"], "url": "https://github.com/GenericMappingTools/gmt/commit/0ad2b491470df82c9ec1139dcbd70502fa28a082"}], "affected": [{"vendor": "GenericMappingTools", "product": "gmt", "versions": [{"version": "<= 6.6.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T20:10:28.066Z"}, "descriptions": [{"lang": "en", "value": "GMT is an open source collection of command-line tools for manipulating geographic and Cartesian data sets. In versions from 6.6.0 and prior, a stack-based buffer overflow vulnerability was identified in the gmt_remote_dataset_id function within src/gmt_remote.c. This issue occurs when a specially crafted long string is passed as a dataset identifier (e.g., via the which module), leading to a crash or potential arbitrary code execution. This issue has been patched via commit 0ad2b49."}], "source": {"advisory": "GHSA-fqxx-62x7-9gwg", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/GenericMappingTools/gmt/security/advisories/GHSA-fqxx-62x7-9gwg", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-25T13:56:17.341958Z", "id": "CVE-2026-33147", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T13:56:20.930Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33147", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-25T13:56:17.341958Z"}}}], "references": [{"url": "https://github.com/GenericMappingTools/gmt/security/advisories/GHSA-fqxx-62x7-9gwg", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T13:56:12.581Z"}}], "cna": {"title": "GMT: Stack-based Buffer Overflow in gmt_remote_dataset_id", "source": {"advisory": "GHSA-fqxx-62x7-9gwg", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "GenericMappingTools", "product": "gmt", "versions": [{"status": "affected", "version": "<= 6.6.0"}]}], "references": [{"url": "https://github.com/GenericMappingTools/gmt/security/advisories/GHSA-fqxx-62x7-9gwg", "name": "https://github.com/GenericMappingTools/gmt/security/advisories/GHSA-fqxx-62x7-9gwg", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/GenericMappingTools/gmt/commit/0ad2b491470df82c9ec1139dcbd70502fa28a082", "name": "https://github.com/GenericMappingTools/gmt/commit/0ad2b491470df82c9ec1139dcbd70502fa28a082", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "GMT is an open source collection of command-line tools for manipulating geographic and Cartesian data sets. In versions from 6.6.0 and prior, a stack-based buffer overflow vulnerability was identified in the gmt_remote_dataset_id function within src/gmt_remote.c. This issue occurs when a specially crafted long string is passed as a dataset identifier (e.g., via the which module), leading to a crash or potential arbitrary code execution. This issue has been patched via commit 0ad2b49."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-121", "description": "CWE-121: Stack-based Buffer Overflow"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T20:10:28.066Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33147", "state": "PUBLISHED", "dateUpdated": "2026-03-25T13:56:20.930Z", "dateReserved": "2026-03-17T21:17:08.884Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-20T20:10:28.066Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:generic-mapping-tools:gmt:*:*:*:*:*:*:*:*", "matchCriteriaId": "D97E9703-6269-40B4-ACBF-EF3D93E0D545", "versionEndIncluding": "6.6.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "GMT is an open source collection of command-line tools for manipulating geographic and Cartesian data sets. In versions from 6.6.0 and prior, a stack-based buffer overflow vulnerability was identified in the gmt_remote_dataset_id function within src/gmt_remote.c. This issue occurs when a specially crafted long string is passed as a dataset identifier (e.g., via the which module), leading to a crash or potential arbitrary code execution. This issue has been patched via commit 0ad2b49."}, {"lang": "es", "value": "GMT es una colecci\u00f3n de c\u00f3digo abierto de herramientas de l\u00ednea de comandos para manipular conjuntos de datos geogr\u00e1ficos y cartesianos. En versiones desde la 6.6.0 y anteriores, se identific\u00f3 una vulnerabilidad de desbordamiento de b\u00fafer basado en pila en la funci\u00f3n gmt_remote_dataset_id dentro de src/gmt_remote.c. Este problema ocurre cuando una cadena larga especialmente dise\u00f1ada se pasa como un identificador de conjunto de datos (p. ej., a trav\u00e9s del m\u00f3dulo which), lo que lleva a un fallo o a una potencial ejecuci\u00f3n de c\u00f3digo arbitrario. Este problema ha sido parcheado mediante el commit 0ad2b49."}], "id": "CVE-2026-33147", "lastModified": "2026-03-27T21:07:19.390", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H", "version": "3.1"}, "exploitabilityScore": 2.5, "impactScore": 4.7, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-20T21:17:15.243", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/GenericMappingTools/gmt/commit/0ad2b491470df82c9ec1139dcbd70502fa28a082"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/GenericMappingTools/gmt/security/advisories/GHSA-fqxx-62x7-9gwg"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/GenericMappingTools/gmt/security/advisories/GHSA-fqxx-62x7-9gwg"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-121"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,6.6.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "gmt", "source": "cna", "vendor": "GenericMappingTools"}, "product": "gmt", "vendor": "genericmappingtools"}], "analysis": {"en": {"generated_at": "2026-03-20T21:21:54.968319+00:00", "value": {"mitigation_remediation": ["Apply the patch in commit 0ad2b49 or upgrade to the latest GMT release that includes this fix."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the GenericMappingTools GMT distribution, specifically versions 6.6.0 and earlier. A fix was applied in the commit identified by 0ad2b49, which patches the gmt_remote.c source file.", "description_and_impact": "A stack-based buffer overflow exists in the GMT gmt_remote_dataset_id function when a specially crafted long string is passed as a dataset identifier. This flaw can cause the program to crash or, under the right circumstances, allow arbitrary execution of code. The underlying weakness is a classic stack corruption vulnerability (CWE\u2011121).", "risk_and_exploitability": "The CVSS score of 7.3 indicates high severity. No EPSS data is reported, and the vulnerability is not listed in the CISA KEV catalog, suggesting no known widespread exploitation yet. The likely attack scenario involves an attacker supplying a malicious dataset identifier, such as via the which module, either locally or through an exposed service that invokes GMT. Without a specialized environment, the attack requires the ability to execute GMT commands with controlled input. The risk remains significant due to the potential for remote code execution."}}}}, "created": "2026-03-23T09:52:46.387030+00:00", "updated": "2026-03-25T14:34:41.789738+00:00", "vendors": ["genericmappingtools", "genericmappingtools$PRODUCT$gmt"]}