CVE-2025-7067
BaseFortify
Publication date: 2025-07-04
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| hdfgroup | hdf5 | 1.14.6 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-119 | The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data. |
| CWE-122 | A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc(). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-7067 is a heap-based buffer overflow vulnerability in the HDF5 library version 1.14.6. It occurs in the function H5FS__sinfo_serialize_node_cb within the source file src/H5FScache.c. The vulnerability happens when the function writes one byte beyond the allocated heap buffer during serialization of file space information nodes, causing memory corruption. This overflow can be triggered by specially crafted input but requires local access to the system. The issue can lead to crashes or exploitable conditions during cache flushing or file closing operations. [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can impact you by causing denial of service (DoS) conditions due to memory corruption from the heap-based buffer overflow. Since it corrupts heap memory during file space serialization, it may cause application crashes or unstable behavior when using the affected HDF5 library. Exploitation requires local access and privileges, so remote attacks are not feasible. There are no known mitigations, and the vulnerability may be exploited using publicly available proof-of-concept code. [1, 2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by reproducing the heap-based buffer overflow condition using fuzz testing tools such as the OSS-Fuzz harness 'h5_extended_fuzzer.c' on a system with AddressSanitizer enabled. Building the HDF5 library with AddressSanitizer and running the fuzzing harness can reveal the overflow during cache flushing operations. Specific commands would involve cloning the HDF5 repository, compiling it with AddressSanitizer, and executing the fuzzing harness to trigger the vulnerability. However, no network detection commands are applicable since local access is required and the vulnerability is triggered locally. [3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting local access to trusted users only, as exploitation requires local privileges. Since no known countermeasures or patches are currently available, it is recommended to consider replacing the affected HDF5 version 1.14.6 with an alternative or updated component once available. Monitoring for official patches or updates from the HDF5 project is advised. [2]