CVE-2025-67269 is a high-severity integer underflow vulnerability found in the gpsd daemon, an open-source GPS service daemon widely used for interfacing with GPS receivers. The flaw exists in the nextstate() function within gpsd's packet.c source file, specifically when parsing NAVCOM packets. The vulnerability occurs because the code calculates the payload length by subtracting 4 from an input byte value 'c' without verifying that 'c' is at least 4. Since 'c' is cast to an unsigned size_t type, if 'c' is less than 4, the subtraction causes an unsigned integer underflow, setting lexer->length to a very large value close to SIZE_MAX. Consequently, the parser enters a loop attempting to consume this massive number of bytes, which leads to excessive CPU consumption (100% utilization) and results in a denial of service (DoS) condition. This flaw does not affect confidentiality or integrity but severely impacts availability. The vulnerability requires no privileges or user interaction, making it remotely exploitable over the network. The affected gpsd versions are those prior to the commit ffa1d6f40bca0b035fc7f5e563160ebb67199da7, though exact version numbers are not specified. No public exploits have been reported yet, but the vulnerability's nature makes it a significant risk for systems relying on gpsd for GPS data processing. The vulnerability is classified under CWE-191 (Integer Underflow).

For European organizations, the primary impact of CVE-2025-67269 is denial of service on systems running vulnerable gpsd versions. This can disrupt GPS data availability, affecting navigation, timing synchronization, and location-based services. Critical infrastructure sectors such as maritime navigation, aviation, telecommunications, and geospatial services that rely on gpsd for accurate GPS data could experience operational outages or degraded service quality. In maritime and aviation industries, GPS data is vital for safe navigation and compliance with regulations, so disruptions could have safety and regulatory consequences. Telecommunications networks using GPS for timing synchronization could face network instability or outages. The DoS condition could also be leveraged as part of a larger attack to degrade service or cause cascading failures in dependent systems. Although no confidentiality or integrity impact is present, the availability impact alone is significant for mission-critical systems. The lack of required privileges or user interaction increases the risk of remote exploitation.

European organizations should immediately identify and inventory all systems running gpsd, especially those involved in critical infrastructure and navigation services. They should update gpsd to the fixed version that includes the commit ffa1d6f40bca0b035fc7f5e563160ebb67199da7 or later, which properly validates the input byte before subtracting to prevent underflow. If immediate patching is not possible, organizations can implement network-level mitigations such as filtering or rate-limiting NAVCOM packet traffic to gpsd services to reduce exposure. Monitoring CPU utilization and gpsd logs for anomalous behavior indicative of exploitation attempts is recommended. Additionally, applying application-level input validation or sandboxing gpsd processes can limit the impact of potential exploitation. Organizations should also engage with gpsd maintainers and security communities for updates and advisories. Finally, integrating gpsd vulnerability checks into vulnerability management and patching workflows will help prevent future exposure.