CVE-2026-26200
Published: 19 February 2026
Summary
CVE-2026-26200 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Hdfgroup Hdf5. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 18.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-26200 is a write-based heap buffer overflow vulnerability (CWE-122, CWE-787) in the HDF5 data management software. Versions of HDF5 prior to 1.14.4-2 are affected when parsing malicious .h5 files, allowing an attacker with control over such a file to trigger the overflow condition.
An attacker can exploit this vulnerability locally by tricking a user into opening a specially crafted .h5 file with an affected HDF5 parser. This requires no privileges (PR:N) but user interaction (UI:R) and local access (AV:L) with low attack complexity (AC:L). Successful exploitation leads to denial-of-service, with potential for remote code execution depending on heap overflow exploitability against modern operating systems.
The GitHub Security Advisory (GHSA-5p2m-j456-9mr2) from the HDF Group confirms that upgrading to version 1.14.4-2 resolves the issue.
Real-world exploitability for remote code execution remains unknown.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-7979
Vulnerability details
HDF5 is software for managing data. Prior to version 1.14.4-2, an attacker who can control an `h5` file parsed by HDF5 can trigger a write-based heap buffer overflow condition. This can lead to a denial-of-service condition, and potentially further issues…
more
such as remote code execution depending on the practical exploitability of the heap overflow against modern operating systems. Real-world exploitability of this issue in terms of remote-code execution is currently unknown. Version 1.14.4-2 fixes the issue.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability is triggered by tricking a user into opening a malicious .h5 file with the vulnerable HDF5 parser (local vector, UI:R), directly enabling User Execution via Malicious File. Heap overflow may yield RCE in the client process context but no other techniques (e.g., T1190, T1203, T1059) are directly facilitated by the described attack.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires identification, reporting, and timely remediation of software flaws like the heap buffer overflow in HDF5 prior to version 1.14.4-2.
Implements memory protection mechanisms such as ASLR and DEP that mitigate exploitation of the heap buffer overflow for remote code execution or denial-of-service.
Requires validation of file inputs to the HDF5 parser, potentially blocking malicious .h5 files that trigger the write-based heap buffer overflow.