CVE-2016-4332: Input Validation
First published: Fri Nov 18 2016(Updated: )
The library's failure to check if certain message types support a particular flag, the HDF5 1.8.16 library will cast the structure to an alternative structure and then assign to fields that aren't supported by the message type and the library will write outside the bounds of the heap buffer. This can lead to code execution under the context of the library.
Credit: cret@cert.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| HDF5 | =1.8.16 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2016-4332?
The severity of CVE-2016-4332 is considered high due to its potential to allow for arbitrary code execution through heap buffer overflow.
How do I fix CVE-2016-4332?
To fix CVE-2016-4332, upgrade the HDF5 library to version 1.8.17 or later, as it contains the necessary patches.
What types of systems are affected by CVE-2016-4332?
CVE-2016-4332 affects systems using HDF5 version 1.8.16, commonly in data processing and scientific applications.
Can CVE-2016-4332 lead to data loss?
Yes, CVE-2016-4332 can potentially lead to data loss due to arbitrary code execution resulting from a heap buffer overflow.
Is CVE-2016-4332 exploitable remotely?
Yes, CVE-2016-4332 is exploitable remotely if the affected HDF5 library is used in network-facing applications.
- agent/type
- agent/references
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/last-modified-date
- agent/severity
- agent/author
- agent/description
- agent/event
- agent/first-publish-date
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/hdfgroup
- canonical/hdf5
- version/hdf5/1.8.16