CVE-2026-34734

Published: Apr 9, 2026Modified: Apr 14, 2026

7.8

Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Exploitability: 1.8 / Impact: 5.9

Source: security-advisories@github.com (Secondary)

Description

HDF5 is software for managing data. In 1.14.1-2 and earlier, a heap-use-after-free was found in the h5dump helper utility. An attacker who can supply a malicious h5 file can trigger a heap use-after-free. The freed object is referenced in a memmove call from H5T__conv_struct. The original object was allocated by H5D__typeinfo_init_phase3 and freed by H5D__typeinfo_term.

Affected (1)

Products: Hdfgroup: Hdf5

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Hdfgroup Hdf5	Before 1.14.1-2

Related CWEs

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

References (2)

https://github.com/HDFGroup/hdf5/security/advisories/GHSA-w7v2-9cmr-pwwj

Source: security-advisories@github.com

ExploitVendor Advisory

https://github.com/HDFGroup/hdf5/security/advisories/GHSA-w7v2-9cmr-pwwj

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

ExploitVendor Advisory

Timeline

No history available yet.