CVE-2025-2310
Published: 14 March 2025
Description
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Security Summary
CVE-2025-2310 is a heap-based buffer overflow vulnerability in the H5MM_strndup function of the Metadata Attribute Decoder component in HDF5 version 1.14.6. Published on 2025-03-14, it is classified as critical and maps to CWEs-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), CWE-122 (Heap-based Buffer Overflow), and CWE-787 (Out-of-bounds Write).
Exploitation requires local access (AV:L) with low privileges (PR:L), low attack complexity (AC:L), and no user interaction (UI:N), resulting in unchanged scope (S:U) and low impacts to confidentiality, integrity, and availability (C:I:A:L), for an overall CVSS v3.1 base score of 5.3. A proof-of-concept exploit has been publicly disclosed, enabling local attackers to potentially trigger the overflow through crafted manipulation.
Advisories from VulDB (ctiid.299723, id.299723, submit.514533) and a GitHub crash report POC (madao123123/crash_report/blob/main/hdf5_poc/hdf5_poc4.md) indicate that the vendor plans to fix this issue in an upcoming release, with no patch available at publication time.
Details
- CWE(s)
Affected Products
AI Security Analysis
- AI Category
- Data Processing Libraries
- Risk Domain
- Other ATLAS/OWASP Terms
- OWASP Top 10 for LLMs 2025
- None mapped
- MITRE ATLAS Techniques
- None mapped
- Classification Reason
- HDF5 is a data format and library for storing and managing large scientific datasets, commonly used in AI/ML pipelines for data processing during training and analysis. Referenced in Red Hat Enterprise Linux AI context.
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Heap-based buffer overflow in HDF5 library enables local arbitrary code execution, facilitating exploitation for privilege escalation.