HDFGroup · bmribler · Sep 16, 2025 · Sep 25, 2025 · Sep 25, 2025 · Sep 25, 2025
@@ -557,6 +557,12 @@ Added Fortran wrapper h5fdsubfiling_get_file_mapping_f() for the subfiling file
 
 ## Library
 
+### Fixed security issue CVE-2025-7067
+
+   Fixed a heap buffer overflow in H5FS__sinfo_serialize_node_cb() by discarding file free space sections from the file free space manager when they are found to be invalid. Specifically crafted HDF5 files can result in an attempt to insert duplicate or overlapping file free space sections into a file free space manager, later resulting in a buffer overflow when the same free space section is serialized to the file multiple times.
+
+   Fixes GitHub issue #5577
+
 ### Fixed security issue CVE-2025-2915 and OSV-2024-381
 
    Fixed a heap-based buffer overflow in H5F__accum_free caused by an integer overflow when calculating new_accum_size. Added validation in H5O__mdci_decode to detect and reject invalid values early, preventing the overflow condition.
@@ -622,6 +628,12 @@ Added Fortran wrapper h5fdsubfiling_get_file_mapping_f() for the subfiling file
 
    Fixes GitHub issue [#5382](https://github.com/HDFGroup/hdf5/issues/5382)
 
+### Fixed security issues CVE-2025-2913 and CVE-2025-2926
+
+   The size of a continuation message was decoded as 0, causing multiple vulnerabilities.  An error check was added to return failure to prevent further processing of invalid data.
+
+   Fixes GitHub issue #5376 and #5384
+
 ### Revised handling of Unicode filenames on Windows<a name="utf-8">
 
    In the HDF5 1.14.4 release, a change was made to address some issues with the library's handling of code pages and file paths on Windows.  This change introduced other issues with the handling of UTF-8 file names that caused breakage for software using the 1.14.4 and 1.14.5 releases of HDF5. That change was reverted for the 1.14.6 release and the behavior has been slightly modified for this release.

@@ -595,13 +595,15 @@ H5O__cache_free_icr(void *_thing)
 static herr_t
 H5O__cache_chk_get_initial_load_size(void *_udata, size_t *image_len)
 {
-    const H5O_chk_cache_ud_t *udata = (const H5O_chk_cache_ud_t *)_udata; /* User data for callback */
+    const H5O_chk_cache_ud_t *udata     = (const H5O_chk_cache_ud_t *)_udata; /* User data for callback */
+    herr_t                    ret_value = SUCCEED;
 
     FUNC_ENTER_PACKAGE_NOERR
 
     assert(udata);
     assert(udata->oh);
     assert(image_len);
+    assert(udata->size);
 
     /* Set the image length size */
     *image_len = udata->size;