HDF5 Memory Leak Vulnerability in H5FL__malloc Function

A memory leak vulnerability has been identified in HDF5 version 1.14.6. The issue arises in the H5FL__malloc function within the file src/H5FL.c. This vulnerability leads to a denial-of-service condition by causing excessive memory consumption. The vulnerability must be exploited locally, and a public proof-of-concept exploit is available.

Impact

Exploitation of this vulnerability causes a memory leak, where allocated memory is not properly released after use, leading to increased memory consumption and potential denial-of-service conditions.

Reproduction

The vulnerability can be reproduced by compiling HDF5 with Clang, using specific compiler flags to enable address sanitization and optimization settings that facilitate fuzzing. After building the library, the HDF5 extended fuzzer, which is part of the OSS-Fuzz project, can be used to trigger the memory leak by opening datasets with crafted inputs that exploit the flaw in the H5FL__malloc function.