<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Gpsd (&lt;= 3.27.5) - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/gpsd--3.27.5/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Thu, 09 Jul 2026 17:19:19 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/gpsd--3.27.5/feed.xml" rel="self" type="application/rss+xml"/><item><title>CVE-2026-58459 - gpsd gpsprof Command Injection</title><link>https://feed.craftedsignal.io/briefs/2026-07-gpsd-cmd-injection/</link><pubDate>Thu, 09 Jul 2026 17:19:19 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-gpsd-cmd-injection/</guid><description>A command injection vulnerability, CVE-2026-58459, exists in the gpsprof utility of gpsd through version 3.27.5, allowing an attacker to exploit this by controlling the GPS device subtype value and embedding backtick payloads within the gnuplot plot title, which leads to arbitrary shell command execution as the user running gnuplot when a victim renders a generated plot via the gpsprof and gnuplot workflow due to improper escaping.</description><content:encoded><![CDATA[<p>gpsd, an open-source service daemon for GPS receivers, through release 3.27.5, contains a critical command injection vulnerability, CVE-2026-58459, within its <code>gpsprof</code> utility. This flaw allows an attacker to achieve arbitrary shell command execution on systems that process potentially untrusted GPS device subtype values. The vulnerability arises when the <code>gpsprof</code> utility generates gnuplot programs for data visualization. Specifically, if a maliciously crafted GPS device subtype value, sourced from a DEVICES JSON log entry or an NMEA PGRMT sentence, contains backtick payloads, <code>gpsprof</code> will embed these unescaped payloads directly into the <code>set title</code> statement of the gnuplot script. When a victim subsequently renders this generated plot using the <code>gnuplot</code> program, the embedded shell commands are executed with the privileges of the user running <code>gnuplot</code>. This impacts systems that use <code>gpsprof</code> to analyze GPS data, potentially leading to full system compromise or data exfiltration by exploiting an often overlooked data processing workflow.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker crafts a malicious GPS device subtype value containing shell command payloads (e.g., <code>test</code>`id<code>\</code>). This value can be embedded in a DEVICES JSON log entry or an NMEA PGRMT sentence.</li>
<li>The malicious GPS data is provided to a system running <code>gpsd</code>.</li>
<li>The <code>gpsprof</code> utility is invoked on the system to process the GPS data and generate a gnuplot program.</li>
<li><code>gpsprof</code> reads the malicious device subtype value and, due to improper escaping, embeds the backtick payload directly into a <code>set title</code> statement within the generated gnuplot script.</li>
<li>A legitimate user or automated process attempts to render the generated plot by executing the crafted gnuplot program using the <code>gnuplot</code> application.</li>
<li>Upon execution, the <code>gnuplot</code> application interprets the backtick payload within the <code>set title</code> command, leading to the execution of the attacker's arbitrary shell commands with the privileges of the user running <code>gnuplot</code>.</li>
<li>The attacker's commands execute, potentially leading to system compromise, data exfiltration, or further lateral movement.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-58459 grants an attacker arbitrary shell command execution as the user running the <code>gpsprof</code> and <code>gnuplot</code> workflow. This can lead to complete compromise of the affected system, allowing for data exfiltration, installation of additional malware, or further lateral movement within the network. While no specific victim count or targeted sectors have been disclosed, any organization or individual processing potentially untrusted GPS data using <code>gpsd</code> versions through 3.27.5 is at risk. The ease of exploitation by simply controlling an input value makes this a significant threat.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Patch CVE-2026-58459 immediately by upgrading <code>gpsd</code> to a version beyond 3.27.5, or applying commit 4c06658.</li>
<li>Deploy the Sigma rule &quot;Detects CVE-2026-58459 Exploitation - gnuplot Spawning Suspicious Processes&quot; in this brief to your SIEM to detect suspicious process execution originating from <code>gnuplot</code> on Linux and macOS systems.</li>
<li>Enable <code>process_creation</code> logging for Linux and macOS endpoints to ensure telemetry is available for the provided detection rule.</li>
<li>Review and restrict execution of <code>gpsprof</code> and <code>gnuplot</code> to trusted data sources and environments where untrusted input cannot be processed.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>command-injection</category><category>vulnerability</category><category>execution</category><category>linux</category><category>macos</category></item></channel></rss>