Cyber Resilience

CVE-2026-26200

HighPublic PoC

Published: 19 February 2026

Published
19 February 2026
Modified
20 February 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0006 18.2th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-26200 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Hdfgroup Hdf5. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 18.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-26200 is a write-based heap buffer overflow vulnerability (CWE-122, CWE-787) in the HDF5 data management software. Versions of HDF5 prior to 1.14.4-2 are affected when parsing malicious .h5 files, allowing an attacker with control over such a file to trigger the overflow condition.

An attacker can exploit this vulnerability locally by tricking a user into opening a specially crafted .h5 file with an affected HDF5 parser. This requires no privileges (PR:N) but user interaction (UI:R) and local access (AV:L) with low attack complexity (AC:L). Successful exploitation leads to denial-of-service, with potential for remote code execution depending on heap overflow exploitability against modern operating systems.

The GitHub Security Advisory (GHSA-5p2m-j456-9mr2) from the HDF Group confirms that upgrading to version 1.14.4-2 resolves the issue.

Real-world exploitability for remote code execution remains unknown.

EU & UK References

Vulnerability details

HDF5 is software for managing data. Prior to version 1.14.4-2, an attacker who can control an `h5` file parsed by HDF5 can trigger a write-based heap buffer overflow condition. This can lead to a denial-of-service condition, and potentially further issues…

more

such as remote code execution depending on the practical exploitability of the heap overflow against modern operating systems. Real-world exploitability of this issue in terms of remote-code execution is currently unknown. Version 1.14.4-2 fixes the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
Why these techniques?

Vulnerability is triggered by tricking a user into opening a malicious .h5 file with the vulnerable HDF5 parser (local vector, UI:R), directly enabling User Execution via Malicious File. Heap overflow may yield RCE in the client process context but no other techniques (e.g., T1190, T1203, T1059) are directly facilitated by the described attack.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-2153Same product: Hdfgroup Hdf5
CVE-2026-34734Same product: Hdfgroup Hdf5
CVE-2025-2310Same product: Hdfgroup Hdf5
CVE-2025-2308Same product: Hdfgroup Hdf5
CVE-2025-2309Same product: Hdfgroup Hdf5
CVE-2025-1651Shared CWE-122, CWE-787
CVE-2026-21304Shared CWE-122, CWE-787
CVE-2026-29022Shared CWE-122, CWE-787
CVE-2026-25583Shared CWE-122, CWE-787
CVE-2026-21504Shared CWE-122, CWE-787

Affected Assets

hdfgroup
hdf5
≤ 1.14.4.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires identification, reporting, and timely remediation of software flaws like the heap buffer overflow in HDF5 prior to version 1.14.4-2.

prevent

Implements memory protection mechanisms such as ASLR and DEP that mitigate exploitation of the heap buffer overflow for remote code execution or denial-of-service.

prevent

Requires validation of file inputs to the HDF5 parser, potentially blocking malicious .h5 files that trigger the write-based heap buffer overflow.

References