CVE-2024-32621

Name of the Vulnerable Software and Affected Versions HDF5 Library versions 1.14.3 and earlier

Description The issue is related to a heap-based buffer overflow in the H5HG read function in H5HG.c, which is called from H5VL native blob get in H5VLnative blob.c. This results in the corruption of the instruction pointer. The vulnerability can be exploited by a remote attacker to impact the confidentiality, integrity, and availability of protected information.

Recommendations For HDF5 Library versions 1.14.3 and earlier, consider disabling the H5HG read function as a temporary workaround until a patch is available. Restrict access to the H5HG.c and H5VLnative blob.c files to minimize the risk of exploitation. Avoid using the H5VL native blob get function in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.