FKIE_CVE-2026-26200

Vulnerability from fkie_nvd - Published: 2026-02-19 20:25 - Updated: 2026-02-20 20:14
Severity ?
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Summary
HDF5 is software for managing data. Prior to version 1.14.4-2, an attacker who can control an `h5` file parsed by HDF5 can trigger a write-based heap buffer overflow condition. This can lead to a denial-of-service condition, and potentially further issues such as remote code execution depending on the practical exploitability of the heap overflow against modern operating systems. Real-world exploitability of this issue in terms of remote-code execution is currently unknown. Version 1.14.4-2 fixes the issue.
References
security-advisories@github.comhttps://github.com/HDFGroup/hdf5/security/advisories/GHSA-5p2m-j456-9mr2Exploit, Third Party Advisory
Impacted products
Vendor Product Version
hdfgroup hdf5 *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:hdfgroup:hdf5:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "75A3E09A-12A9-4186-9CA7-F34D0D169F17",
              "versionEndExcluding": "1.14.4.2",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "HDF5 is software for managing data. Prior to version 1.14.4-2, an attacker who can control an `h5` file parsed by HDF5 can trigger a write-based heap buffer overflow condition. This can lead to a denial-of-service condition, and potentially further issues such as remote code execution depending on the practical exploitability of the heap overflow against modern operating systems. Real-world exploitability of this issue in terms of remote-code execution is currently unknown. Version 1.14.4-2 fixes the issue."
    },
    {
      "lang": "es",
      "value": "HDF5 es un software para la gesti\u00f3n de datos. Antes de la versi\u00f3n 1.14.4-2, un atacante que puede controlar un archivo \u0027h5\u0027 analizado por HDF5 puede desencadenar una condici\u00f3n de desbordamiento de b\u00fafer de mont\u00edculo basado en escritura. Esto puede llevar a una condici\u00f3n de denegaci\u00f3n de servicio, y potencialmente a problemas adicionales como la ejecuci\u00f3n remota de c\u00f3digo dependiendo de la explotabilidad pr\u00e1ctica del desbordamiento de mont\u00edculo contra sistemas operativos modernos. La explotabilidad real de este problema en t\u00e9rminos de ejecuci\u00f3n remota de c\u00f3digo es actualmente desconocida. La versi\u00f3n 1.14.4-2 corrige el problema."
    }
  ],
  "id": "CVE-2026-26200",
  "lastModified": "2026-02-20T20:14:37.683",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 7.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 5.9,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-02-19T20:25:42.610",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://github.com/HDFGroup/hdf5/security/advisories/GHSA-5p2m-j456-9mr2"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-122"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-787"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.