GenericMappingTools (GMT) is an open-source suite of command-line utilities widely used for processing geographic and Cartesian datasets. In versions 6.6.0 and earlier, a stack-based buffer overflow vulnerability (CWE-121) was discovered in the gmt_remote_dataset_id function located in src/gmt_remote.c. This function processes dataset identifiers, and when it receives an excessively long, specially crafted string, it fails to properly validate input length, leading to a buffer overflow on the stack. This memory corruption can cause the application to crash or, more critically, allow an attacker to execute arbitrary code with the privileges of the GMT process. The vulnerability requires local access (attack vector: local) but no privileges or user interaction, making it easier to exploit in environments where users have shell access. The vulnerability was assigned CVE-2026-33147 with a CVSS v3.1 score of 7.3, reflecting high severity due to its impact on availability (crash) and potential confidentiality and integrity (code execution). The issue has been addressed in a patch committed under ID 0ad2b49, which corrects the input handling to prevent overflow. No public exploits have been reported yet, but the nature of the vulnerability makes it a significant risk for affected systems. GMT is commonly used in scientific, environmental, and defense applications, where data integrity and availability are critical.

The vulnerability poses a significant risk to organizations relying on GMT for geospatial data processing. Exploitation can lead to denial of service through application crashes, disrupting critical data workflows. More severely, arbitrary code execution could allow attackers to escalate privileges, manipulate sensitive geographic data, or establish persistence on affected systems. This can compromise the confidentiality and integrity of datasets, potentially impacting decision-making in sectors such as environmental monitoring, urban planning, defense, and research institutions. Since GMT is often deployed in Linux-based environments, local users or attackers with limited access could exploit this flaw to gain further control. The absence of required privileges or user interaction lowers the barrier for exploitation in multi-user or shared environments. Although no exploits are currently known in the wild, the vulnerability’s characteristics warrant urgent remediation to prevent future attacks.

Organizations should immediately upgrade GMT to versions later than 6.6.0 where the vulnerability is patched. If upgrading is not immediately feasible, apply any available backported patches or mitigations from the GMT maintainers. Implement strict input validation and sanitization on dataset identifiers to prevent excessively long strings from being processed. Restrict local access to systems running GMT to trusted users only, and employ least privilege principles to limit potential exploitation impact. Monitor system logs for unusual crashes or suspicious activity related to GMT processes. Consider deploying runtime protections such as stack canaries, address space layout randomization (ASLR), and control flow integrity (CFI) to reduce exploitation likelihood. Regularly audit and update all geospatial software dependencies to maintain security hygiene.