CVE-2026-14684
LowCVSS 3.3Exploitation Probability (EPSS)
Low risk2th percentile — higher than 2% of all known CVEs
Summary
A vulnerability has been found in HdrHistogram up to version 2.2.2, involving uncontrolled memory allocation in the decodeFromByteBuffer function of the AbstractHistogram class. The numberOfSignificantValueDigits argument can be manipulated, leading to memory exhaustion. The attack requires local access and an exploit has been published.
Risk Assessment
The organization is at risk of denial of service due to memory exhaustion by a local user, potentially crashing applications using this library. The lack of response from the project increases the exploitation risk.
Recommendation
Immediately update HdrHistogram to version 2.2.3 or later if available. If no patch is available, restrict local access to systems using this library and monitor memory usage.
Original NVD description (English source)
A flaw has been found in HdrHistogram up to 2.2.2. This affects the function org.HdrHistogram.AbstractHistogram.decodeFromByteBuffer of the file src/main/java/org/HdrHistogram/AbstractHistogram.java. This manipulation of the argument numberOfSignificantValueDigits causes uncontrolled memory allocation. The attack can only be executed locally. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.

