CVE-2025-2309Improper Restriction of Operations within the Bounds of a Memory Buffer in Hdf5

CWE-119Improper Restriction of Operations within the Bounds of a Memory BufferCWE-122Heap-based Buffer OverflowCWE-787Out-of-bounds WriteCWE-476NULL Pointer Dereference6 documents5 sources
Severity
4.8MEDIUMNVD
EPSS
0.1%
top 82.89%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
12
Hdfgroup Hdf5Debian Hdf5Msrc Azl3 Hdf5 1.14.4.3-1 ON Azure Linux 3.0+9 more
Timeline
PublishedMar 14

Description

A vulnerability has been found in HDF5 1.14.6 and classified as critical. This vulnerability affects the function H5T__bit_copy of the component Type Conversion Logic. The manipulation leads to heap-based buffer overflow. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The vendor plans to fix this issue in an upcoming release.

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Affected Packages12 packages

debiandebian/hdf5
NVDhdfgroup/hdf51.14.6

🔴Vulnerability Details

2
OSV
CVE-2025-2309: A vulnerability has been found in HDF5 12025-03-14
GHSA
GHSA-76vw-8gm2-pwmh: A vulnerability has been found in HDF5 12025-03-14

📋Vendor Advisories

3
Microsoft
HDF5 Type Conversion Logic H5T__bit_copy heap-based overflow2025-03-11
Debian
CVE-2025-2309: hdf5 - A vulnerability has been found in HDF5 1.14.6 and classified as critical. This v...2025
Microsoft
NULL Pointer Dereference in lxml/lxml2022-07-12