CVE-2026-26200 - Vulnerability Details

- HDF5 Affected by H5T__conv_struct_opt Heap Buffer Overflow

Description

HDF5 is software for managing data. Prior to version 1.14.4-2, an attacker who can control an `h5` file parsed by HDF5 can trigger a write-based heap buffer overflow condition. This can lead to a denial-of-service condition, and potentially further issues such as remote code execution depending on the practical exploitability of the heap overflow against modern operating systems. Real-world exploitability of this issue in terms of remote-code execution is currently unknown. Version 1.14.4-2 fixes the issue.

Published: 2026-02-19

Score: 7.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A malformed HDF5 file can trigger a write‑based heap buffer overflow in the H5T__conv_struct_opt conversion routine. The flaw may cause a denial of service, and depending on the target operating system it could potentially enable remote code execution. The weakness is catalogued as a buffer overflow (CWE-122), erroneous buffer size handling (CWE-131), and an out‑of‑bounds write (CWE-787).

Affected Systems

The vulnerability affects all installations of the HDFGroup HDF5 library older than version 1.14.4-2. Any system that processes untrusted HDF5 files with this library is at risk.

Risk and Exploitability

The CVSS score of 7.8 signals a high severity issue, while the EPSS score of less than 1 % indicates a very low probability of real‑world exploitation. The flaw is not catalogued in the CISA KEV list. An attacker must supply or force the processing of a malicious .h5 file, giving them local or remote access depending on how the library is used in the application. If the operating system can be manipulated via the overflow, remote code execution may be achieved; however, this remains speculative at present.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

HDFGroup

hdf5

affected

Version	Status	Constraints
`< 1.14.4-2`	affected	—

Configuration 1 [-]

cpe:2.3:a:hdfgroup:hdf5:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Hdfgroup

Hdf5

100%

Version	Status	Scheme	Platform
`[0,1.14.4-2)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade HDF5 to version 1.14.4-2 or later.
If an immediate upgrade is not available, implement rigorous input validation to reject or sanitize malformed HDF5 files before they reach the library.
Enforce strict access controls so that only trusted users or processes can provide HDF5 files to the application.

Generated by OpenCVE AI on April 18, 2026 at 11:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0005.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://github.com/HDFGroup/hdf5/security/advisories/GHSA-5p2m-j456-9mr2
https://nvd.nist.gov/vuln/detail/CVE-2026-26200
https://www.cve.org/CVERecord?id=CVE-2026-26200

History

Fri, 20 Feb 2026 20:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-787
CPEs		cpe:2.3:a:hdfgroup:hdf5::::::::

Fri, 20 Feb 2026 12:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-131
References		https://nvd.nist.gov/vuln/detail/CVE-2026-26200 https://www.cve.org/CVERecord?id=CVE-2026-26200
Metrics	threat_severity `None`	threat_severity `Important`

Fri, 20 Feb 2026 10:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Hdfgroup Hdfgroup hdf5
Vendors & Products		Hdfgroup Hdfgroup hdf5

Fri, 20 Feb 2026 01:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 19 Feb 2026 20:00:00 +0000

Type	Values Removed	Values Added
Description		HDF5 is software for managing data. Prior to version 1.14.4-2, an attacker who can control an `h5` file parsed by HDF5 can trigger a write-based heap buffer overflow condition. This can lead to a denial-of-service condition, and potentially further issues such as remote code execution depending on the practical exploitability of the heap overflow against modern operating systems. Real-world exploitability of this issue in terms of remote-code execution is currently unknown. Version 1.14.4-2 fixes the issue.
Title		HDF5 Affected by H5T__conv_struct_opt Heap Buffer Overflow
Weaknesses		CWE-122
References		https://github.com/HDFGroup/hdf5/security/advisories/GHSA-5p2m-j456-9mr2
Metrics		cvssV3_1 `{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}`

Subscriptions

Hdfgroup Hdf5

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-02-19T19:19:10.512Z

Updated: 2026-02-19T21:23:04.319Z

Reserved: 2026-02-11T19:56:24.813Z

Link: CVE-2026-26200

Vulnrichment

Updated: 2026-02-19T21:16:39.592Z

NVD

Status : Analyzed

Published: 2026-02-19T20:25:42.610

Modified: 2026-02-20T20:14:37.683

Link: CVE-2026-26200

Redhat

Severity : Important

Publid Date: 2026-02-19T19:19:10Z

Links: CVE-2026-26200 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-18T11:45:44Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object