CVE-2024-29160: 
NixOS vulnerability analysis and mitigation

HDF5 through version 1.14.3 contains a critical heap buffer overflow vulnerability in the H5HG_cacheheap_deserialize function. The vulnerability was discovered and disclosed in May 2024, affecting all versions of HDF5 up to and including 1.14.3. This security flaw has been assigned CVE-2024-29160 and has received a CVSS v3.1 base score of 7.4 (High) (NVD, HDF Group).

The vulnerability is characterized as a heap buffer overflow in the H5HG_cacheheap_deserialize function, which can lead to the corruption of the instruction pointer. The severity is rated as HIGH with a CVSS v3.1 base score of 7.4 and vector string CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. The issue is classified as CWE-122 (Heap-based Buffer Overflow) (NVD).

The vulnerability can result in the corruption of the instruction pointer, potentially leading to denial of service conditions or code execution on affected systems. The high CVSS score indicates significant potential impact on system confidentiality, integrity, and availability (NVD).

The vulnerability has been fixed in HDF5 version 1.14.4, released on April 15, 2024. Users are advised to upgrade to this version to mitigate the risk (HDF Group).