Primary

Context

HDF5 Heap-Based Buffer Overflow Vulnerability in H5SM_delete Function

Vulnerability

A critical heap-based buffer overflow vulnerability has been identified in the HDF5 library version 1.14.6. The issue arises in the H5SM_delete function within the H5SM.c file, part of the h5 File Handler component. This vulnerability can be exploited remotely, although the attack's complexity is considered high.

Impact

Exploitation of this vulnerability leads to a heap-based buffer overflow, causing an out-of-bounds read that can potentially crash the application.

Reproduction

The vulnerability can be reproduced by compiling the HDF5 library with AddressSanitizer and Fuzzing enabled, using Clang as the compiler. After building the library, a fuzzer can be created and run against a crafted .h5 file that triggers the buffer overflow, causing a segmentation fault.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

5.4

impact

2.5

exploitability

5.8

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.4

impact

2.5

exploitability

5.8

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

HDF5 Heap-Based Buffer Overflow Vulnerability in H5SM_delete Function

Vulnerability

Impact

Reproduction

Affected Products

HDF5

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating