Primary

Context

HDF5 Heap-Based Buffer Overflow Vulnerability in H5FS__sinfo_serialize_node_cb Function

Vulnerability

A heap-based buffer overflow vulnerability has been identified in HDF5 version 1.14.6. This issue arises in the function H5FS__sinfo_serialize_node_cb within the file src/H5FScache.c. The vulnerability requires local access to exploit and has been publicly disclosed, with an available proof-of-concept exploit.

Impact

Exploitation of this vulnerability leads to a heap-based buffer overflow, which can commonly result in arbitrary code execution or causing a program to crash.

Reproduction

The vulnerability can be reproduced by compiling HDF5 with AddressSanitizer enabled, using Clang as the compiler. After building the library, the HDF5 extended fuzzer, also available on GitHub, can be used to trigger the vulnerability by sending specially crafted input that exploits the buffer overflow condition.

Added: Jul 4, 2025, 6:26 PM

Updated: Jul 4, 2025, 6:26 PM

Vulnerability Rating

Custom Algorithm

spread

5.4

impact

2.5

exploitability

4.6

remediation

0.0

relevance

0.2

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.4

impact

2.5

exploitability

4.6

remediation

0.0

relevance

0.2

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

HDF5 Heap-Based Buffer Overflow Vulnerability in H5FS__sinfo_serialize_node_cb Function

Vulnerability

Impact

Reproduction

Affected Products

HDF5

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating