CVE-2026-33147 Overview
CVE-2026-33147 is a stack-based buffer overflow vulnerability discovered in GMT (Generic Mapping Tools), an open source collection of command-line tools for manipulating geographic and Cartesian data sets. The vulnerability exists in the gmt_remote_dataset_id function within src/gmt_remote.c and affects versions 6.6.0 and prior.
This issue occurs when a specially crafted long string is passed as a dataset identifier (e.g., via the which module), leading to a crash or potential arbitrary code execution. The vulnerability has been patched via commit 0ad2b49.
Critical Impact
A local attacker can exploit this stack-based buffer overflow to crash the application or potentially achieve arbitrary code execution by providing a maliciously crafted long dataset identifier string.
Affected Products
- GMT (Generic Mapping Tools) version 6.6.0
- GMT (Generic Mapping Tools) versions prior to 6.6.0
Discovery Timeline
- 2026-03-20 - CVE CVE-2026-33147 published to NVD
- 2026-03-25 - Last updated in NVD database
Technical Details for CVE-2026-33147
Vulnerability Analysis
The vulnerability resides in the gmt_remote_dataset_id function within src/gmt_remote.c. The root issue is the unsafe use of strcpy() to copy user-controlled input into a fixed-size buffer without proper bounds checking. When processing dataset identifiers, the function fails to validate the length of the input string before copying it, allowing an attacker to overflow the stack buffer.
This is a classic CWE-121 (Stack-based Buffer Overflow) vulnerability where unbounded string operations can overwrite adjacent stack memory, including return addresses and other control data.
Root Cause
The vulnerable code path uses strcpy() to copy dataset identifier strings into a local buffer without verifying that the input length does not exceed the buffer size (PATH_MAX). When the ifile parameter contains an excessively long string, the strcpy() call writes beyond the allocated buffer boundaries, corrupting the stack.
Attack Vector
The attack requires local access to the system. An attacker can trigger the vulnerability by:
- Invoking the GMT which module with a specially crafted long string as the dataset identifier
- The excessively long input is passed to gmt_remote_dataset_id() without length validation
- The unsafe strcpy() operation overflows the stack buffer
- Depending on the overflow content, this can cause a crash or potentially redirect execution flow
// Security patch in src/gmt_remote.c - Fix a buffer overflow. (#8928)
/* Must handle the use of srtm_relief vs earth_relief for the 01s and 03s data */
if (strncmp (&ifile[pos], "srtm_relief_0", 13U) == 0) /* Gave strm special name */
sprintf (file, "earth_%s", &ifile[pos+5]); /* Replace srtm with earth */
- else /* Just copy as is from pos */
- strcpy (file, &ifile[pos]);
+ else { /* Just copy as is from pos */
+ strncpy (file, &ifile[pos], PATH_MAX - 1);
+ file[PATH_MAX - 1] = '\0';
+ }
key = bsearch (file, API->remote_info, API->n_remote_info, sizeof (struct GMT_DATA_INFO), gmtremote_compare_key);
if (key) { /* Make sure we actually got a real hit since file = "earth" will find a key starting with "earth****" */
char *ckey = strrchr (key->file, '.'); /* Find location of the start of the key file extension (or NULL if no extension) */
Source: GitHub Commit
Detection Methods for CVE-2026-33147
Indicators of Compromise
- Unexpected crashes of GMT tools, particularly the which module, with stack corruption errors
- Segmentation fault errors in system logs when executing GMT commands with long dataset identifiers
- Core dumps containing evidence of stack buffer overflows in the gmt_remote_dataset_id function
- Unusual process behavior or unexpected code execution following GMT tool invocation
Detection Strategies
- Monitor for abnormal GMT process terminations with SIGSEGV or SIGABRT signals
- Implement file integrity monitoring on GMT installation directories to detect unauthorized modifications
- Deploy endpoint detection and response (EDR) solutions capable of detecting stack-based buffer overflow exploitation attempts
- Enable AddressSanitizer (ASan) in development and testing environments to catch buffer overflow attempts
Monitoring Recommendations
- Configure system logging to capture application crashes with full stack traces
- Deploy SentinelOne agents to monitor for exploitation attempts targeting memory corruption vulnerabilities
- Implement process execution monitoring to detect anomalous behavior following GMT tool execution
- Enable audit logging for all GMT command invocations in multi-user environments
How to Mitigate CVE-2026-33147
Immediate Actions Required
- Update GMT to a version containing commit 0ad2b49 or later
- Review and limit access to GMT tools in shared or multi-user environments
- Implement input validation at the application layer if GMT is integrated into larger systems
- Consider deploying application sandboxing to limit the impact of potential exploitation
Patch Information
The vulnerability has been addressed in commit 0ad2b491470df82c9ec1139dcbd70502fa28a082. The fix replaces the unsafe strcpy() call with a bounded strncpy() operation that limits the copy to PATH_MAX - 1 characters and ensures proper null termination.
For detailed patch information, refer to the GitHub Commit and the GitHub Security Advisory.
Workarounds
- Restrict access to GMT tools to trusted users only until the patch can be applied
- Implement wrapper scripts that validate input length before passing to GMT commands
- Use containerization or sandboxing to isolate GMT execution and limit blast radius
- Deploy system-level protections such as ASLR and stack canaries to make exploitation more difficult
# Configuration example - Wrapper script to validate input length
#!/bin/bash
MAX_LENGTH=4096
INPUT="$1"
if [ ${#INPUT} -gt $MAX_LENGTH ]; then
echo "Error: Input exceeds maximum allowed length" >&2
exit 1
fi
# Proceed with GMT command
gmt which "$INPUT"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
