CVE-2026-26200

HDF5 is software for managing data. Prior to version 1.14.4-2, an attacker who can control an h5 file parsed by HDF5 can trigger a write-based heap buffer overflow condition. This can lead to a denial-of-service condition, and potentially further issues such as remote code execution depending on the practical exploitability of the heap overflow against modern operating systems. Real-world exploitability of this issue in terms of remote-code execution is currently unknown. Version 1.14.4-2 fixes the issue.

Database specific

{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-122"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/26xxx/CVE-2026-26200.json"
}

References

Affected packages

Git / github.com/hdfgroup/hdf5

Affected ranges

Type: GIT
Repo: https://github.com/hdfgroup/hdf5
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

f0ecc8bc26972119fb31b1cd548ea23fff4a3227

Affected versions

Other

before_removing_docs

before_removing_fphdf5

before_removing_mpiposix_vfd

before_removing_tbbt_code

before_signed_unsigned_changes

hdf5-1_0_0

hdf5-1_0_0-alpha2

hdf5-1_0_1

hdf5-1_13_0-rc1

hdf5-1_13_0-rc2

hdf5-1_13_0-rc3

hdf5-1_13_0-rc4

hdf5-1_13_0-rc5

hdf5-1_13_0-rc6

hdf5-1_2_0

hdf5-1_2_0-beta1-update2

hdf5-1_2_0beta

hdf5-1_2_1

hdf5-1_3_0

hdf5-1_3_1

hdf5-1_4_0

hdf5-1_4_1

hdf5-1_6_0

hdf5-1_6_1

hdf5-1_6_2

hdf5-1_8_0-alpha2

hdf5-1_8_0-alpha3

hdf5-1_8_0-alpha4

hdf5-1_8_0-beta1

hdf5-1_8_0-beta2

hdf5-1_8_0-beta3

hdf5-1_8_0-beta4

hdf5-1_8_0-beta5

hdf5-1_9-start

proto1

r1_1beta1

vms_last_support_trunk

hdf5_1.*

hdf5_1.14.4

hdf5_1.14.4.1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-26200.json"