HDF5 library through 1.14.3 has memory corruption in H5A__close resulting in the corruption of the instruction pointer and causing denial of service or potential code execution.
The vulnerability classified as CWE-787 (out-of-bounds write) involves improper memory management during HDF5 attribute closure in the H5A__close function. An erroneous write operation outside the allocated memory area leads to instruction pointer corruption. An attacker can prepare a malicious HDF5 file, which when processed by the vulnerable library will trigger this error.
An attacker can cause an application using the HDF5 library to crash (DoS) or, under favorable circumstances, execute arbitrary code in the context of the process handling the file (RCE). A high CVSS score of 9.8 indicates a complete threat to system confidentiality, integrity, and availability.
The HDF5 library should be updated to version 1.14.4 or later, in which the vulnerability was removed by the vendor. Details available at: https://www.hdfgroup.org/2024/05/new-hdf5-cve-issues-fixed-in-1-14-4/
HDF5 library (HDF Group) in versions up to and including 1.14.3.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HHdfgroup Hdf5
APPHdfgroup< 1.14.4
Related vulnerabilities
Stack buffer overflow w HDF5 — RCE lub DoS przez uszkodzenie wskaźnika instrukcji
HDF5 Library: użycie niezainicjowanej wartości w H5A__attr_release_table
HDF5: heap buffer overflow w H5HG_read umożliwiający RCE lub DoS
Buffer overflow w HDF5 H5Z__filter_scaleoffset – RCE lub DoS
HDF5 Library: heap-based buffer overflow w dekompresji nbit