Security Vulnerability Report
中文
CVE-2026-34734 CVSS 7.8 HIGH

CVE-2026-34734

Published: 2026-04-09 20:16:25
Last Modified: 2026-04-14 20:09:51
Source: [email protected]

Description

HDF5 is software for managing data. In 1.14.1-2 and earlier, a heap-use-after-free was found in the h5dump helper utility. An attacker who can supply a malicious h5 file can trigger a heap use-after-free. The freed object is referenced in a memmove call from H5T__conv_struct. The original object was allocated by H5D__typeinfo_init_phase3 and freed by H5D__typeinfo_term.

CVSS Details

CVSS Score
7.8
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:hdfgroup:hdf5:*:*:*:*:*:*:*:* - VULNERABLE
HDF5 <= 1.14.1-2

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import os import subprocess # Proof of Concept for CVE-2026-34734 # This script demonstrates the scenario where a malicious file is processed. # Note: The specific binary pattern to trigger the UAF requires deep knowledge # of the HDF5 file structure and is not included here for safety. def create_malicious_h5(filename): # In a real exploit, this function would craft specific bytes # to trigger the UAF in H5T__conv_struct. with open(filename, 'wb') as f: # Placeholder for the malicious HDF5 file header and data blocks f.write(b'\x89HDF\r\n\x1a\n') # Malicious data would follow here pass print(f"[+] Created malicious file: {filename}") def trigger_vulnerability(filename): try: print(f"[*] Attempting to run h5dump on {filename}...") # This simulates the victim running the utility result = subprocess.run(['h5dump', filename], capture_output=True, text=True) print(result.stdout) print(result.stderr) except Exception as e: print(f"[-] Error: {e}") if __name__ == "__main__": file_path = "exploit_cve_2026_34734.h5" create_malicious_h5(file_path) trigger_vulnerability(file_path)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-34734", "sourceIdentifier": "[email protected]", "published": "2026-04-09T20:16:25.437", "lastModified": "2026-04-14T20:09:51.313", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "HDF5 is software for managing data. In 1.14.1-2 and earlier, a heap-use-after-free was found in the h5dump helper utility. An attacker who can supply a malicious h5 file can trigger a heap use-after-free. The freed object is referenced in a memmove call from H5T__conv_struct. The original object was allocated by H5D__typeinfo_init_phase3 and freed by H5D__typeinfo_term."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-416"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:hdfgroup:hdf5:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.14.1-2", "matchCriteriaId": "D8B60376-0798-400E-9C01-184EE73C4A51"}]}]}], "references": [{"url": "https://github.com/HDFGroup/hdf5/security/advisories/GHSA-w7v2-9cmr-pwwj", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/HDFGroup/hdf5/security/advisories/GHSA-w7v2-9cmr-pwwj", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.