Primary

Context

HDF5 Stack-Based Buffer Overflow Vulnerability in H5G__node_cmp3 Function

Vulnerability

A stack-based buffer overflow vulnerability has been identified in HDF5 version 1.14.6. The issue arises in the H5G__node_cmp3 function within the file src/H5Gnode.c. This vulnerability can be exploited locally, leading to a denial-of-service condition by causing a stack overflow.

Impact

Exploitation of this vulnerability causes a stack-based buffer overflow, which can lead to a denial-of-service condition by crashing the application or causing uncontrolled recursion.

Reproduction

The vulnerability can be reproduced by compiling HDF5 with AddressSanitizer enabled, using Clang as the compiler. After building the library, the H5 extended fuzzer, also available on GitHub, can be used to trigger the vulnerability. The fuzzer should be compiled with the same sanitization flags and linked against the HDF5 library. Once compiled, the fuzzer can be run with a proof-of-concept file that triggers the overflow.

Added: Jun 29, 2025, 10:18 AM

Updated: Jun 29, 2025, 10:18 AM

Vulnerability Rating

Custom Algorithm

spread

5.4

impact

2.5

exploitability

4.6

remediation

0.0

relevance

0.2

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.4

impact

2.5

exploitability

4.6

remediation

0.0

relevance

0.2

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

HDF5 Stack-Based Buffer Overflow Vulnerability in H5G__node_cmp3 Function

Vulnerability

Impact

Reproduction

Affected Products

HDF5

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating