CVE-2026-8213 Overview
CVE-2026-8213 is a heap-based buffer overflow in the OSGeo GDAL library affecting versions up to 3.13.0dev-4. The flaw resides in the GDSDfldsrch function within frmts/hdf4/hdf-eos/GDapi.c, which is part of the Grid File Handler used to parse HDF4-EOS metadata. The function performs memmove operations to strip surrounding quotes from a FieldList metadata value without first verifying that the value is properly quoted or that its length is sufficient, leading to out-of-bounds memory access on the heap. Exploitation requires local access and a crafted HDF4-EOS file. The issue is tracked under [CWE-119] and was resolved in GDAL 3.13.0RC1 via commit 3e04c0385630e4d42517046d9a4967dfccfeb7fd.
Critical Impact
A local attacker who can supply a malformed HDF4-EOS file to a GDAL-based application can trigger a heap buffer overflow, potentially causing process crashes or limited memory corruption.
Affected Products
- OSGeo GDAL versions up to and including 3.13.0dev-4
- Applications and geospatial tooling embedding the affected GDAL HDF4-EOS driver
- Fixed in GDAL 3.13.0RC1 and later
Discovery Timeline
- 2026-05-09 - CVE-2026-8213 published to the National Vulnerability Database
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-8213
Vulnerability Analysis
The vulnerability lives in the HDF4-EOS Grid File Handler implementation in frmts/hdf4/hdf-eos/GDapi.c, with an identical defect in frmts/hdf4/hdf-eos/SWapi.c. The GDSDfldsrch routine calls EHgetmetavalue(metaptrs, "FieldList", name) to retrieve a field list string from HDF4-EOS metadata. The code then unconditionally executes memmove(name, name + 1, strlen(name) - 2) followed by writing a null terminator at name[strlen(name) - 2]. When the returned name is shorter than two characters or not wrapped in quotes, strlen(name) - 2 underflows or the indexing reads outside the allocated heap buffer. The EPSS score for this issue is low, reflecting the local attack vector and limited exploitation surface.
Root Cause
The root cause is missing input validation on the metadata value returned by EHgetmetavalue. The original code assumes the field list is always at least two characters long and surrounded by double quotes. No length check or quote check was performed before the memmove call, allowing a heap out-of-bounds read and arithmetic underflow on the length argument.
Attack Vector
An attacker with local file delivery capability supplies a crafted HDF4-EOS dataset whose FieldList metadata entry is either empty, unterminated, or missing the leading and trailing quote characters. When a GDAL-based application opens the file and traverses the grid metadata, GDSDfldsrch triggers the out-of-bounds memory access. The impact is limited to the privileges of the process that invoked GDAL.
/* Patched code from frmts/hdf4/hdf-eos/GDapi.c */
/* Get field list and strip off leading and trailing quotes */
if (EHgetmetavalue(metaptrs, "FieldList", name) == 0)
{
const size_t len = strlen(name);
if (len >= 2 && name[0] == '"' && name[len-1] == '"')
{
memmove(name, name + 1, strlen(name) - 2);
name[strlen(name) - 2] = 0;
}
}
else
{
name[0] = '\0';
}
/* Search for desired field within merged field list */
Source: GitHub Commit 3e04c038
The patch adds a return-code check on EHgetmetavalue, validates that the buffer length is at least two bytes, and confirms that the field list is bounded by double-quote characters before invoking memmove. The identical guard is applied in SWapi.c.
Detection Methods for CVE-2026-8213
Indicators of Compromise
- Unexpected crashes or segmentation faults in processes that link against libgdal when opening HDF4 or HDF-EOS datasets
- AddressSanitizer or Valgrind reports of heap-buffer-overflow in GDSDfldsrch or related HDF4-EOS handlers
- Presence of HDF4-EOS files from untrusted sources in geospatial processing pipelines
Detection Strategies
- Inventory installed GDAL versions across workstations, build agents, and container images and flag any version at or below 3.13.0dev-4
- Run fuzzing or sanitizer-instrumented builds of GDAL against ingested HDF4-EOS samples to surface heap overflow conditions
- Review application logs for repeated GDAL driver errors when parsing HDF4-EOS grid metadata
Monitoring Recommendations
- Monitor endpoints and servers for abnormal termination of GDAL utilities such as gdalinfo, gdal_translate, and ogr2ogr
- Track file ingestion of .hdf and .he4 artifacts originating from outside trusted data providers
- Alert on core dump generation by processes that load the HDF4 driver shared object
How to Mitigate CVE-2026-8213
Immediate Actions Required
- Upgrade GDAL to version 3.13.0RC1 or later on all systems that process HDF4-EOS files
- Rebuild and redeploy container images and Python wheels (for example rasterio, fiona) that bundle a vulnerable GDAL
- Restrict who can place HDF4-EOS files into automated processing pipelines until patching is complete
Patch Information
The upstream fix is commit 3e04c0385630e4d42517046d9a4967dfccfeb7fd, included in the v3.13.0RC1 release. The commit modifies both frmts/hdf4/hdf-eos/GDapi.c and frmts/hdf4/hdf-eos/SWapi.c to validate the FieldList metadata value before performing pointer arithmetic. See the GitHub Release Notes for v3.13.0RC1 and the upstream issue discussion for full context.
Workarounds
- Disable the HDF4 driver at GDAL build time or via the GDAL_SKIP=HDF4 environment variable if HDF4 support is not required
- Validate HDF4-EOS inputs in a sandboxed process with reduced privileges and resource limits before passing them to production tooling
- Constrain file system permissions so only trusted accounts can introduce HDF4 datasets into ingest directories
# Skip the HDF4 driver to neutralize the vulnerable code path
export GDAL_SKIP="HDF4 HDF4Image"
gdalinfo --formats | grep -i hdf4
# Verify the installed GDAL version after upgrade
gdal-config --version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
