CVE-2026-58459

NTPsec · gpsd

NTPsec gpsd is vulnerable to OS command injection via the gnuplot plot title subtype field, allowing for arbitrary code execution.

Executive summary

A critical OS command injection vulnerability in NTPsec gpsd allows attackers to execute arbitrary commands with the privileges of the service.

Vulnerability

This vulnerability is an OS command injection (CWE-78) flaw triggered via the gnuplot plot title subtype field. The attack vector is local with user interaction required, though the potential impact on system integrity and availability is severe.

Business impact

Successful exploitation of this vulnerability could grant an attacker the ability to execute unauthorized commands on the host system. Given the CVSS score of 7.8, this poses a significant risk to system integrity, potentially leading to full system compromise, unauthorized data access, or service disruption.

Remediation

Immediate Action: Review the provided vendor references and update to the latest patched version of gpsd once available.

Proactive Monitoring: Monitor system logs for suspicious process execution patterns or unexpected gnuplot activity originating from the gpsd service.

Compensating Controls: Restrict access to the gpsd service and ensure it runs with the minimum necessary privileges to limit the impact of a potential compromise.

Exploitation status

Public Exploit Available: false

Analyst recommendation

The severity of this command injection vulnerability necessitates immediate attention. Administrators should prioritize identifying instances of the affected software and applying updates as soon as they are released by the vendor to prevent potential system-level compromise.