CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2024-29164

CVSS 9.8v3.1pub. 2024-05-14upd. 2025-04-18

HDF5 through 1.14.3 contains a stack buffer overflow in H5R__decode_heap, resulting in the corruption of the instruction pointer and causing denial of service or potential code execution.

🤖 AI Analysis
How it works

The vulnerability is a stack buffer overflow (CWE-121) in the H5R__decode_heap function of the HDF5 library. When decoding data from so-called heap references, the library does not properly validate the data size, leading to overwriting stack memory areas beyond the allocated buffer. This results in instruction pointer corruption, which can cause application failure or takeover of its execution control.

Impact

An attacker can cause an application using the HDF5 library to crash (DoS) or — under favorable conditions — execute arbitrary code with the privileges of the process processing the HDF5 file. The vulnerability does not require authentication or user interaction.

Mitigation & patch

Update the HDF5 library to version 1.14.4 or newer, in which the vendor has fixed the described vulnerability. Details are available in the vendor references: https://www.hdfgroup.org/2024/05/new-hdf5-cve-issues-fixed-in-1-14-4/

Who is affected

HDF5 (Hdfgroup library) in versions up to and including 1.14.3.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Hdfgroup Hdf5

    APP
    Hdfgroup
    < 1.14.4
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
Tags
RCEDoSMemory
CWE
References

Related vulnerabilities

CVE-2024-32608CRITICAL9.8PL ✓ten sam produkt

Podatność RCE/DoS w bibliotece HDF5 — uszkodzenie pamięci w H5A__close

CVE-2024-32611CRITICAL9.8PL ✓ten sam produkt

HDF5 Library: użycie niezainicjowanej wartości w H5A__attr_release_table

CVE-2024-29157CRITICAL9.8PL ✓ten sam produkt

HDF5: heap buffer overflow w H5HG_read umożliwiający RCE lub DoS

CVE-2024-29159CRITICAL9.8PL ✓ten sam produkt

Buffer overflow w HDF5 H5Z__filter_scaleoffset – RCE lub DoS

CVE-2024-32615CRITICAL9.8PL ✓ten sam produkt

HDF5 Library: heap-based buffer overflow w dekompresji nbit