CVE-2025-2308 — Improper Restriction of Operations within the Bounds of a Memory Buffer in Hdf5

CWE-119 — Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-122 — Heap-based Buffer Overflow CWE-787 — Out-of-bounds Write CWE-862 — Missing Authorization6 documents5 sources

Severity

4.8MEDIUMNVD

EPSS

0.1%

top 84.81%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Hdfgroup Hdf5 Debian Hdf5 Msrc Azl3 Hdf5 1.14.4.3-1 ON Azure Linux 3.0 +6 more

Timeline

PublishedMar 14

Description

A vulnerability, which was classified as critical, was found in HDF5 1.14.6. This affects the function H5Z__scaleoffset_decompress_one_byte of the component Scale-Offset Filter. The manipulation leads to heap-based buffer overflow. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The vendor plans to fix this issue in an upcoming release.

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Affected Packages9 packages

▶debiandebian/hdf5

▶NVDhdfgroup/hdf51.14.6

▶msrcmsrc/azl3_hdf5_1.14.6-1_on_azure_linux_3.0

▶msrcmsrc/azl3_hdf5_1.14.6-2_on_azure_linux_3.0

▶msrcmsrc/cbl2_hdf5_1.14.4-1_on_cbl_mariner_2.0

🔴Vulnerability Details

OSV

CVE-2025-2308: A vulnerability, which was classified as critical, was found in HDF5 1↗2025-03-14

▶

GHSA

GHSA-vr2r-rp8h-3j86: A vulnerability, which was classified as critical, was found in HDF5 1↗2025-03-14

▶

📋Vendor Advisories

Microsoft

HDF5 Scale-Offset Filter H5Z__scaleoffset_decompress_one_byte heap-based overflow↗2025-03-11

▶

Debian

CVE-2025-2308: hdf5 - A vulnerability, which was classified as critical, was found in HDF5 1.14.6. Thi...↗2025

▶

Microsoft

An issue was discovered in the Linux kernel through 5.11.6. fastrpc_internal_invoke in drivers/misc/fastrpc.c does not prevent user applications from sending kernel RPC messages aka CID-20c40794eb85. ↗2021-03-09

▶