{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/gpsd--3.27.5/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.8,"id":"CVE-2026-58459"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["gpsd (\u003c= 3.27.5)"],"_cs_severities":["high"],"_cs_tags":["command-injection","vulnerability","execution","linux","macos"],"_cs_type":"advisory","_cs_vendors":["gpsd project"],"content_html":"\u003cp\u003egpsd, an open-source service daemon for GPS receivers, through release 3.27.5, contains a critical command injection vulnerability, CVE-2026-58459, within its \u003ccode\u003egpsprof\u003c/code\u003e utility. This flaw allows an attacker to achieve arbitrary shell command execution on systems that process potentially untrusted GPS device subtype values. The vulnerability arises when the \u003ccode\u003egpsprof\u003c/code\u003e utility generates gnuplot programs for data visualization. Specifically, if a maliciously crafted GPS device subtype value, sourced from a DEVICES JSON log entry or an NMEA PGRMT sentence, contains backtick payloads, \u003ccode\u003egpsprof\u003c/code\u003e will embed these unescaped payloads directly into the \u003ccode\u003eset title\u003c/code\u003e statement of the gnuplot script. When a victim subsequently renders this generated plot using the \u003ccode\u003egnuplot\u003c/code\u003e program, the embedded shell commands are executed with the privileges of the user running \u003ccode\u003egnuplot\u003c/code\u003e. This impacts systems that use \u003ccode\u003egpsprof\u003c/code\u003e to analyze GPS data, potentially leading to full system compromise or data exfiltration by exploiting an often overlooked data processing workflow.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious GPS device subtype value containing shell command payloads (e.g., \u003ccode\u003etest\u003c/code\u003e`id\u003ccode\u003e\\\u003c/code\u003e). This value can be embedded in a DEVICES JSON log entry or an NMEA PGRMT sentence.\u003c/li\u003e\n\u003cli\u003eThe malicious GPS data is provided to a system running \u003ccode\u003egpsd\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003egpsprof\u003c/code\u003e utility is invoked on the system to process the GPS data and generate a gnuplot program.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003egpsprof\u003c/code\u003e reads the malicious device subtype value and, due to improper escaping, embeds the backtick payload directly into a \u003ccode\u003eset title\u003c/code\u003e statement within the generated gnuplot script.\u003c/li\u003e\n\u003cli\u003eA legitimate user or automated process attempts to render the generated plot by executing the crafted gnuplot program using the \u003ccode\u003egnuplot\u003c/code\u003e application.\u003c/li\u003e\n\u003cli\u003eUpon execution, the \u003ccode\u003egnuplot\u003c/code\u003e application interprets the backtick payload within the \u003ccode\u003eset title\u003c/code\u003e command, leading to the execution of the attacker's arbitrary shell commands with the privileges of the user running \u003ccode\u003egnuplot\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker's commands execute, potentially leading to system compromise, data exfiltration, or further lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-58459 grants an attacker arbitrary shell command execution as the user running the \u003ccode\u003egpsprof\u003c/code\u003e and \u003ccode\u003egnuplot\u003c/code\u003e workflow. This can lead to complete compromise of the affected system, allowing for data exfiltration, installation of additional malware, or further lateral movement within the network. While no specific victim count or targeted sectors have been disclosed, any organization or individual processing potentially untrusted GPS data using \u003ccode\u003egpsd\u003c/code\u003e versions through 3.27.5 is at risk. The ease of exploitation by simply controlling an input value makes this a significant threat.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-58459 immediately by upgrading \u003ccode\u003egpsd\u003c/code\u003e to a version beyond 3.27.5, or applying commit 4c06658.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detects CVE-2026-58459 Exploitation - gnuplot Spawning Suspicious Processes\u0026quot; in this brief to your SIEM to detect suspicious process execution originating from \u003ccode\u003egnuplot\u003c/code\u003e on Linux and macOS systems.\u003c/li\u003e\n\u003cli\u003eEnable \u003ccode\u003eprocess_creation\u003c/code\u003e logging for Linux and macOS endpoints to ensure telemetry is available for the provided detection rule.\u003c/li\u003e\n\u003cli\u003eReview and restrict execution of \u003ccode\u003egpsprof\u003c/code\u003e and \u003ccode\u003egnuplot\u003c/code\u003e to trusted data sources and environments where untrusted input cannot be processed.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-09T17:19:19Z","date_published":"2026-07-09T17:19:19Z","id":"https://feed.craftedsignal.io/briefs/2026-07-gpsd-cmd-injection/","summary":"A command injection vulnerability, CVE-2026-58459, exists in the gpsprof utility of gpsd through version 3.27.5, allowing an attacker to exploit this by controlling the GPS device subtype value and embedding backtick payloads within the gnuplot plot title, which leads to arbitrary shell command execution as the user running gnuplot when a victim renders a generated plot via the gpsprof and gnuplot workflow due to improper escaping.","title":"CVE-2026-58459 - gpsd gpsprof Command Injection","url":"https://feed.craftedsignal.io/briefs/2026-07-gpsd-cmd-injection/"}],"language":"en","title":"CraftedSignal Threat Feed - Gpsd (\u003c= 3.27.5)","version":"https://jsonfeed.org/version/1.1"}