Login Sign Up

CVE-2020-18494

8.8 HIGH
Remote Code Execution Buffer Overflow

📋 TL;DR

CVE-2020-18494 is a buffer overflow vulnerability in HDF5 library's H5S_close function that allows remote attackers to execute arbitrary code by tricking users or systems into processing a maliciously crafted HDF5 file. This affects any application or system using HDF5 1.10.4 for scientific data processing. Attackers could gain full control of affected systems through crafted file exploitation.

💻 Affected Systems

Products:
  • HDF5 library
  • Applications using HDF5 (Python h5py, MATLAB, scientific software)
Versions: HDF5 1.10.4 specifically
Operating Systems: Linux, Windows, macOS, Unix variants
Default Config Vulnerable: ⚠️ Yes
Notes: Any application linking against vulnerable HDF5 library is affected when processing HDF5 files.

📦 What is this software?

Hdf5 by Hdfgroup

View all CVEs affecting Hdf5 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, and lateral movement within networks.

🟠

Likely Case

Application crash leading to denial of service, with potential for RCE if exploit is weaponized.

🟢

If Mitigated

Application crash without code execution if ASLR/DEP protections are effective.

🌐 Internet-Facing: MEDIUM - Requires user interaction to open malicious files or automated processing of untrusted files.
🏢 Internal Only: MEDIUM - Internal users could exploit via malicious files in shared storage or workflows.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Public PoC exists in GitHub repository. Exploitation requires user to open crafted file or automated processing of untrusted files.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: HDF5 1.10.5 and later

Vendor Advisory: https://portal.hdfgroup.org/display/support/security

Restart Required: Yes

Instructions:

1. Download HDF5 1.10.5+ from https://www.hdfgroup.org/downloads/hdf5/ 2. Compile and install new version 3. Recompile applications against patched library 4. Restart affected services

🔧 Temporary Workarounds

Input validation for HDF5 files

all

Implement strict validation of HDF5 files before processing

Sandbox HDF5 processing

linux

Run HDF5 file processing in isolated containers or sandboxes

docker run --rm -v /path/to/files:/data your-app

🧯 If You Can't Patch

  • Implement strict file upload controls and scan all incoming HDF5 files
  • Isolate systems processing HDF5 files using network segmentation and minimal privileges

🔍 How to Verify

Check if Vulnerable:

Check HDF5 library version: h5dump --version or ldd /path/to/application | grep hdf5

Check Version:

h5dump --version 2>/dev/null || strings /usr/lib/*hdf5* 2>/dev/null | grep 'HDF5 Version'

Verify Fix Applied:

Verify version is 1.10.5 or higher: h5dump --version | grep -q '1.10.[5-9]\|1.1[1-9]'

📡 Detection & Monitoring

Log Indicators:

  • Application crashes with HDF5 library errors
  • Segmentation faults in HDF5-related processes

Network Indicators:

  • Unexpected HDF5 file transfers to sensitive systems

SIEM Query:

process_name:h5* AND (event_type:crash OR exit_code:139)

📊 Metadata

CVE ID: CVE-2020-18494
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-787
Published: August 22, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-18494, you might also want to check these:

CVE-2022-43604 10.0

CVE-2022-43604 is a critical out-of-bounds write vulnerability in the OpENer EtherNet/IP stack that ...

Same vulnerability type (CWE-787)
CVE-2025-24201 10.0

This critical vulnerability allows malicious web content to break out of the Web Content sandbox via...

Same vulnerability type (CWE-787)
CVE-2020-14871 10.0

This is a critical buffer overflow vulnerability (CWE-787) in Oracle Solaris's Pluggable Authenticat...

Same vulnerability type (CWE-787)