Primary

Context

HDFGroup HDF5 Heap-Use-After-Free Vulnerability in Version 1.14.6

Vulnerability

A heap-use-after-free vulnerability has been identified in HDF5 version 1.14.6. The issue arises in the function H5FL__reg_gc_list within the file src/H5FL.c. This vulnerability can be exploited locally, leading to a denial-of-service condition.

Impact

Exploitation of this vulnerability causes a heap-use-after-free condition, which can lead to memory corruption. In this case, it has been demonstrated to cause a denial-of-service by crashing the application.

Reproduction

The vulnerability can be reproduced by compiling HDF5 with Clang, using specific compiler flags to enable address sanitization and optimization settings that facilitate fuzzing. After building the library, a fuzzing harness can be used to trigger the vulnerability by sending crafted input that exploits the use-after-free condition.

Added: Jun 29, 2025, 10:19 AM

Updated: Jun 29, 2025, 10:19 AM

Vulnerability Rating

Custom Algorithm

spread

5.4

impact

2.5

exploitability

4.6

remediation

0.0

relevance

0.2

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.4

impact

2.5

exploitability

4.6

remediation

0.0

relevance

0.2

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

HDFGroup HDF5 Heap-Use-After-Free Vulnerability in Version 1.14.6

Vulnerability

Impact

Reproduction

Affected Products

HDF5

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating