HDF5 Uncontrolled Memory Allocation Vulnerability in H5C__load_entry Function

A vulnerability in HDF5 version 1.14.6 has been identified, specifically within the H5C__load_entry function in the file src/H5Centry.c. This vulnerability leads to excessive resource consumption, causing a denial-of-service condition. The issue arises from improper management of memory allocation, allowing for excessively large allocation requests that exceed the maximum supported size. This vulnerability can be exploited locally, and a proof-of-concept exploit is publicly available.

Impact

Exploitation of this vulnerability causes a denial-of-service condition by leading to excessive memory allocation, which can exhaust available system resources and disrupt normal application functionality.

Reproduction

The vulnerability can be reproduced by compiling HDF5 with Clang, using specific compiler flags to enable AddressSanitizer and Fuzzing. After building the library, the h5_extended_fuzzer tool can be used to test the vulnerability with a crafted input that triggers the excessive memory allocation.