JLSEC-2026-288 CVSS_V4

Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in OSGeo...

JLSEC Published: Apr 28, 2026
Modified: Apr 28, 2026
Severity: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:A/S:P/AU:Y/R:U/V:C/RE:L/U:Amber
Affected Packages: GDAL_jll < 303.1100.0+0
Aliases / Upstream: CVE-2026-4738 GHSA-hp6p-5qh5-w9fj EUVD-2026-14706

Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in OSGeo gdal (frmts/zlib/contrib/infback9 modules). This vulnerability is associated with program files inftree9.C‎.

This issue affects gdal: before 3.11.0.

References

https://github.com/OSGeo/gdal/pull/12244
https://github.com/advisories/GHSA-hp6p-5qh5-w9fj
https://nvd.nist.gov/vuln/detail/CVE-2026-4738