CVE-2026-58459 - gpsd gpsprof Command Injection
A command injection vulnerability, CVE-2026-58459, exists in the gpsprof utility of gpsd through version 3.27.5, allowing an attacker to exploit this by controlling the GPS device subtype value and embedding backtick payloads within the gnuplot plot title, which leads to arbitrary shell command execution as the user running gnuplot when a victim renders a generated plot via the gpsprof and gnuplot workflow due to improper escaping.
gpsd, an open-source service daemon for GPS receivers, through release 3.27.5, contains a critical command injection vulnerability, CVE-2026-58459, within its gpsprof utility. This flaw allows an attacker to achieve arbitrary shell command execution on systems that process potentially untrusted GPS device subtype values. The vulnerability arises when the gpsprof utility generates gnuplot programs for data visualization. Specifically, if a maliciously crafted GPS device subtype value, sourced from a DEVICES JSON log entry or an NMEA PGRMT sentence, contains backtick payloads, gpsprof will embed these unescaped payloads directly into the set title statement of the gnuplot script. When a victim subsequently renders this generated plot using the gnuplot program, the embedded shell commands are executed with the privileges of the user running gnuplot. This impacts systems that use gpsprof to analyze GPS data, potentially leading to full system compromise or data exfiltration by exploiting an often overlooked data processing workflow.
Attack Chain
- An attacker crafts a malicious GPS device subtype value containing shell command payloads (e.g.,
test`id\). This value can be embedded in a DEVICES JSON log entry or an NMEA PGRMT sentence. - The malicious GPS data is provided to a system running
gpsd. - The
gpsprofutility is invoked on the system to process the GPS data and generate a gnuplot program. gpsprofreads the malicious device subtype value and, due to improper escaping, embeds the backtick payload directly into aset titlestatement within the generated gnuplot script.- A legitimate user or automated process attempts to render the generated plot by executing the crafted gnuplot program using the
gnuplotapplication. - Upon execution, the
gnuplotapplication interprets the backtick payload within theset titlecommand, leading to the execution of the attacker's arbitrary shell commands with the privileges of the user runninggnuplot. - The attacker's commands execute, potentially leading to system compromise, data exfiltration, or further lateral movement.
Impact
Successful exploitation of CVE-2026-58459 grants an attacker arbitrary shell command execution as the user running the gpsprof and gnuplot workflow. This can lead to complete compromise of the affected system, allowing for data exfiltration, installation of additional malware, or further lateral movement within the network. While no specific victim count or targeted sectors have been disclosed, any organization or individual processing potentially untrusted GPS data using gpsd versions through 3.27.5 is at risk. The ease of exploitation by simply controlling an input value makes this a significant threat.
Recommendation
- Patch CVE-2026-58459 immediately by upgrading
gpsdto a version beyond 3.27.5, or applying commit 4c06658. - Deploy the Sigma rule "Detects CVE-2026-58459 Exploitation - gnuplot Spawning Suspicious Processes" in this brief to your SIEM to detect suspicious process execution originating from
gnuploton Linux and macOS systems. - Enable
process_creationlogging for Linux and macOS endpoints to ensure telemetry is available for the provided detection rule. - Review and restrict execution of
gpsprofandgnuplotto trusted data sources and environments where untrusted input cannot be processed.
Detection coverage 2
Detects CVE-2026-58459 Exploitation - gnuplot Spawning Suspicious Processes
highDetects CVE-2026-58459 exploitation where the gnuplot process, invoked by gpsprof, spawns suspicious child processes indicative of command injection.
Detects CVE-2026-58459 Exploitation (macOS) - gnuplot Spawning Suspicious Processes
highDetects CVE-2026-58459 exploitation where the gnuplot process, invoked by gpsprof, spawns suspicious child processes indicative of command injection on macOS.
Detection queries are available on the platform. Get full rules →