Heap-based buffer overflow in HDF5 - CVE-2016-4331
Published: April 25, 2018
Vulnerability identifier: #VU12153
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2016-4331
CWE-ID: CWE-122
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: HDF Group
Affected software:
HDF5
HDF5
Detailed vulnerability description
The vulnerability allows a local attacker to gain elevated privileges on the target system.
The weakness exists due to library's failure to ensure that the precision is within the bounds of the size when decoding data out of a dataset encoded with the H5Z_NBIT decoding. A local attacker can trigger heap-based buffer overflow and execute arbitrary code with root privileges.
Successful exploitation of the vulnerability may result in system compromise.
The weakness exists due to library's failure to ensure that the precision is within the bounds of the size when decoding data out of a dataset encoded with the H5Z_NBIT decoding. A local attacker can trigger heap-based buffer overflow and execute arbitrary code with root privileges.
Successful exploitation of the vulnerability may result in system compromise.
How to mitigate CVE-2016-4331
Install update from vendor's website.