Platform
c
Component
hdf5
Fixed in
1.14.2
CVE-2026-34734 describes a Use-After-Free vulnerability discovered in the HDF5 library, specifically within the h5dump helper utility. This flaw allows a malicious actor to craft a specially designed HDF5 file that, when processed, triggers a heap use-after-free condition. The vulnerability affects versions 1.0.0 up to and including 1.14.1-2, and a fix is available in version 1.14.2.
Successful exploitation of CVE-2026-34734 can lead to a denial-of-service (DoS) condition, crashing the application processing the malicious HDF5 file. More critically, depending on the system's memory layout and the privileges of the process running h5dump, an attacker might be able to achieve arbitrary code execution. This could allow them to gain control of the affected system or access sensitive data stored within the HDF5 file or accessible to the process. The vulnerability stems from a freed object being referenced in a memmove call, highlighting a critical memory management error.
CVE-2026-34734 was publicly disclosed on 2026-04-09. The vulnerability's CVSS score is 7.8 (HIGH). There are currently no publicly available proof-of-concept exploits. It is not listed on the CISA KEV catalog at the time of writing. Given the nature of Use-After-Free vulnerabilities, it is reasonable to expect that exploits may be developed in the future.
Exploit Status
EPSS
0.01% (2% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-34734 is to upgrade to HDF5 version 1.14.2 or later, which contains the fix for this vulnerability. If upgrading is not immediately feasible, consider restricting the sources of HDF5 files processed by h5dump to trusted locations. Input validation and sanitization of HDF5 files can also help reduce the risk. While a WAF or proxy cannot directly mitigate this vulnerability, they can be configured to block suspicious file uploads or network traffic associated with HDF5 processing. After upgrading, confirm the fix by attempting to process a known malicious HDF5 file (if available) and verifying that the application does not crash or exhibit unexpected behavior.
Update to version 1.14.2 or later to mitigate the use-after-free issue. Refer to the official HDFGroup documentation for specific upgrade instructions and vulnerability details. Avoid using malicious HDF5 files from untrusted sources.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-34734 is a Use-After-Free vulnerability affecting HDF5 versions 1.0.0 through 1.14.1-2. A malicious HDF5 file can trigger a heap use-after-free in the h5dump utility, potentially leading to DoS or code execution.
If you are using HDF5 versions 1.0.0 to 1.14.1-2, you are potentially affected. Check your HDF5 version and upgrade if necessary.
Upgrade to HDF5 version 1.14.2 or later to resolve this vulnerability. If immediate upgrade is not possible, restrict HDF5 file sources and implement input validation.
Currently, there are no publicly known active exploits for CVE-2026-34734, but the vulnerability's nature suggests potential for future exploitation.
Refer to the official HDF5 project website and security advisories for the most up-to-date information regarding CVE-2026-34734.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.