Several new HDF5 CVE issues have been filed in MITRE and these should be released to the public sometime in the next few weeks. These CVE issues are similar to previous HDF5 CVEs in that they were discovered through fuzzing HDF5 files and involve segfaults or other problems when parsing malformed HDF5 files. These are typically rated as “medium” security by MITRE. They are all fixed in HDF5 1.14.4 (released April 15, 2024) and no MITRE CVE issues are unaddressed.
More information about the issues can be found in:
- The HDF5 1.14.4 release notes
- The HDF5 CVE test repository’s list of CVE issues:
- The MITRE website (though the new CVEs are not active yet):
These files have been added to the HDF5 CVE test repo, which includes a test script that is run on every HDF5 pull request. The HDF5 developers will continue to fuzz test HDF5 in order to locate and fix further file parsing issues.
Full details with all CVE numbers on the blog: