CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2024-32615

CVSS 9.8v3.1pub. 2024-05-14upd. 2025-04-18

HDF5 Library through 1.14.3 contains a heap-based buffer overflow in H5Z__nbit_decompress_one_byte in H5Znbit.c, caused by the earlier use of an initialized pointer.

🤖 AI Analysis
How it works

The vulnerability results from the use of an uninitialized pointer in the function responsible for decompressing data with the nbit filter. This leads to writing data outside the bounds of the allocated heap area (heap-based buffer overflow, CWE-787). An attacker can provide a specially crafted HDF5 file whose processing by the vulnerable library will trigger a buffer overflow error.

Impact

Successful exploitation may allow an attacker to execute arbitrary code (RCE) in the context of the process handling the HDF5 file, as well as violate the confidentiality, integrity, and availability of the system.

Mitigation & patch

The HDF5 library should be updated to version 1.14.4 or later, in which the vulnerability has been fixed by the vendor. Details are available at: https://www.hdfgroup.org/2024/05/new-hdf5-cve-issues-fixed-in-1-14-4/

Who is affected

HDF5 Library in versions up to and including 1.14.3 (Hdfgroup HDF5 through 1.14.3)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Hdfgroup Hdf5

    APP
    Hdfgroup
    < 1.14.4
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
Tags
Memory
CWE
References

Related vulnerabilities

CVE-2024-32608CRITICAL9.8PL ✓ten sam produkt

Podatność RCE/DoS w bibliotece HDF5 — uszkodzenie pamięci w H5A__close

CVE-2024-29164CRITICAL9.8PL ✓ten sam produkt

Stack buffer overflow w HDF5 — RCE lub DoS przez uszkodzenie wskaźnika instrukcji

CVE-2024-29157CRITICAL9.8PL ✓ten sam produkt

HDF5: heap buffer overflow w H5HG_read umożliwiający RCE lub DoS

CVE-2024-29159CRITICAL9.8PL ✓ten sam produkt

Buffer overflow w HDF5 H5Z__filter_scaleoffset – RCE lub DoS

CVE-2024-32611CRITICAL9.8PL ✓ten sam produkt

HDF5 Library: użycie niezainicjowanej wartości w H5A__attr_release_table