HDF5 Library through 1.14.3 may use an uninitialized value in H5A__attr_release_table in H5Aint.c.
The vulnerability results from improper memory initialization (CWE-908, CWE-457) — the library may read or use a value from a variable whose content has not been previously set correctly. The H5A__attr_release_table function responsible for releasing the attribute table may operate on data from an uninitialized memory area. Such an error can be triggered by processing a specially crafted HDF5 file that forces the library to execute the vulnerable code path.
An attacker could potentially gain unauthorized access to data in memory, compromise the integrity of processed information, or cause application failure. In the worst case, the error could enable remote code execution (RCE) in the context of a process using the library.
The HDF5 library should be updated to version 1.14.4 or later, where the error has been fixed according to vendor information available at: https://www.hdfgroup.org/2024/05/new-hdf5-cve-issues-fixed-in-1-14-4/
HDF5 Library in versions up to and including 1.14.3 (Hdfgroup HDF5 through 1.14.3).
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HHdfgroup Hdf5
APPHdfgroup< 1.14.4
Related vulnerabilities
Podatność RCE/DoS w bibliotece HDF5 — uszkodzenie pamięci w H5A__close
Stack buffer overflow w HDF5 — RCE lub DoS przez uszkodzenie wskaźnika instrukcji
HDF5: heap buffer overflow w H5HG_read umożliwiający RCE lub DoS
Buffer overflow w HDF5 H5Z__filter_scaleoffset – RCE lub DoS
HDF5 Library: heap-based buffer overflow w dekompresji nbit