Heap Use After Free Vulnerability in HDF5 Software by HDF Group
CVE-2026-34734

7.8HIGH

Key Information:

Vendor: Hdfgroup
Status: Hdf5
Vendor: CVE Published:; 9 April 2026

What is CVE-2026-34734?

The HDF5 software, a widely-used tool for managing and storing large datasets, has a vulnerability due to a heap use-after-free condition found in the h5dump utility. This occurs when an attacker supplies a specially crafted HDF5 file, enabling them to trigger the flaw during a memmove operation. The vulnerability arises when the freed object is erroneously referenced, potentially leading to unintended actions or access within the application's memory. The affected versions include HDF5 1.14.1 and earlier, emphasizing the need for users to implement security best practices and update to safer versions.

Affected Version(s)

hdf5 <= 1.14.1-2

References

https://github.com/HDFGroup/hdf5/security/advisories/GHSA...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 9, 2026
Vulnerability Reserved
Mar 30, 2026

CVE-2026-34734 Data

JSON

Hdfgroup

What is CVE-2026-34734?

Affected Version(s)

References

CVSS V3.1

Timeline